The Agent Skills Directory

[CREDENTIALS_UNSAFE] (HIGH): The script scripts/start-mcp.sh copies the user's Xiaohongshu session cookies from home directories to /tmp/cookies.json. On most Linux systems, /tmp is globally readable, making these sensitive session credentials accessible to any other user or process on the machine.
[EXTERNAL_DOWNLOADS] (MEDIUM): Documentation recommends downloading binaries and cloning repositories from untrusted sources (xpzouying/xiaohongshu-mcp and JoeanAmier/XHS-Downloader). These external dependencies are not from trusted organizations and are executed with user permissions.
[COMMAND_EXECUTION] (HIGH): Several scripts, including scripts/mcp-call.sh and scripts/comment.sh, interpolate user-controlled variables directly into double-quoted shell strings that are then passed to curl. Because shell expansion occurs within these strings, characters like backticks or dollar signs in Xiaohongshu post content could trigger arbitrary command execution.
[PROMPT_INJECTION] (LOW): The scripts/track-topic.py script aggregates content from Xiaohongshu into reports. This creates an indirect prompt injection surface where external, untrusted content could include instructions designed to manipulate the AI agent's behavior.
[REMOTE_CODE_EXECUTION] (MEDIUM): The scripts/track-topic.py script dynamically locates and executes scripts from other skills based on computed paths, which could lead to unauthorized code execution if a malicious skill is placed in the expected path.

xiaohongshu