skills/solar-luna/fully-automatic-article-generation-skill/xiaohongshu-publisher/Gen Agent Trust Hub
xiaohongshu-publisher
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The README.md instructions require downloading configuration files from
https://raw.githubusercontent.com/xpzouying/xiaohongshu-mcp/main/docker/docker-compose.yml. The 'xpzouying' organization is not on the trusted list, posing a risk of unverifiable dependency. - COMMAND_EXECUTION (LOW): The script
simple_publish.pyusessubprocess.runto execute acpcommand. While intended for moving cover images, arbitrary command execution via environment variable injection (e.g., inXHS_IMAGE_DIR) is a theoretical risk. - PROMPT_INJECTION (LOW): The skill provides an indirect prompt injection surface when processing external HTML content from WeChat articles.
- Ingestion points:
publisher.pyandscripts/content_adapter.pyingest raw HTML content from user-provided files or strings. - Boundary markers: Absent. The skill does not use delimiters or instructions to ignore embedded commands in the source content.
- Capability inventory:
subprocess.run(file operations) andrequests.post(publishing to local API). - Sanitization: Limited to basic regex-based HTML tag removal (
re.sub(r'<[^>]+>', ' ', content)), which may not prevent malicious instructions embedded in the text from influencing the agent's summarization logic. - DATA_EXFILTRATION (LOW): The skill documentation indicates it relies on session cookies stored in
~/xiaohongshu-mcp/docker/data/cookies.json. While it only sends this data to the local service, the presence of these credentials on disk is a sensitive factor.
Audit Metadata