The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The files cookies.json and data/cookies.json contain active, hardcoded session cookies (including web_session and id_token) for xiaohongshu.com. These credentials provide full authenticated access to the associated user account.
[REMOTE_CODE_EXECUTION]: The install.sh script downloads binary executables from an external repository (github.com/xpzouying/xiaohongshu-mcp) and executes them locally. It also suggests a 'curl | bash' installation pattern which is a high-risk remote code execution vector.
[COMMAND_EXECUTION]: Multiple scripts (xhs_client.py, xhs_mcp.py) use the subprocess and os.system modules to execute local binaries and external messaging tools for browser automation and notifications.
[PROMPT_INJECTION]: The skill's operational strategy (STRATEGY.md) contains instructions for the agent to adopt an aggressive 'debater' persona. It specifically directs the agent to 'firmly refute' and 'slap in the face' users who disagree with its posts, attempting to override neutral safety guidelines.
[EXTERNAL_DOWNLOADS]: In addition to binary downloads, the skill dynamically fetches images from source.unsplash.com based on content keywords.
[DATA_EXFILTRATION]: The automated login script scripts/xhs_login_sop.py captures screenshots of sensitive QR codes and transmits them to a specific external Feishu (Lark) user ID using the openclaw message tool.
[INDIRECT_PROMPT_INJECTION]: The skill processes untrusted external content from social media comments to generate automated replies.
Ingestion points: scripts/xhs_client.py and scripts/xhs_mcp.py fetch feed details and user comment lists.
Boundary markers: Absent; untrusted content is interpolated directly into prompts.
Capability inventory: The skill has the capability to read account data, publish new content, and post replies.
Sanitization: No validation or filtering of external comment text is evident before processing.

xiaohongshu-mcp