xhs-publisher

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that pass API keys directly on the command line (e.g., --key-value "sk-xxx") and commands that can retrieve/display keys, which would require the agent to include secret values verbatim in outputs — a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly scrapes untrusted public sources (百度/头条/哔哩哔哩) via the trending commands (SKILL.md + xhs_auto.py cmd_trending/cmd_hot) and fetches user-generated comments from creator.xiaohongshu.com (scripts/comments.py), then feeds that third-party text into LLM prompts and automated actions (generate_content / generate_reply → publish/reply), so external content can influence tool decisions and enable indirect prompt injection.