The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The documentation (README.md and README_CN.md) explicitly instructs users to download executable binaries from an untrusted third-party GitHub repository ('github.com/xpzouying/xiaohongshu-mcp').
[REMOTE_CODE_EXECUTION]: The skill's operational scripts, specifically 'scripts/start-mcp.sh' and 'scripts/login.sh', are designed to execute these unverified third-party binaries ('xiaohongshu-mcp' and 'xiaohongshu-login') from the user's local directory.
[COMMAND_EXECUTION]: The 'scripts/track-topic.py' script contains logic in the 'find_feishu_scripts' function to search the filesystem for scripts belonging to other AI agent skills (specifically 'feishu-docs') and executes them using 'subprocess.run'.
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection (Category 8). It fetches untrusted data including post titles, descriptions, and user comments from Xiaohongshu and incorporates them into Markdown reports or workspace files.
Ingestion points: 'scripts/track-topic.py' (via MCP tool calls) and 'tools/xhs-downloader/export_to_workspace.py' (via SQLite database).
Boundary markers: Absent. While Markdown blockquotes are used in reports, there are no instructions or delimiters telling the agent to ignore embedded commands within the fetched content.
Capability inventory: The skill can execute shell commands via 'mcp-call.sh', run Python subprocesses, and perform network requests via 'urllib.request'.
Sanitization: Content is truncated but not sanitized for malicious instructions or control sequences.
[CREDENTIALS_UNSAFE]: The 'scripts/start-mcp.sh' script copies session cookies ('cookies.json') to '/tmp/cookies.json', which may expose sensitive authentication tokens on multi-user systems depending on the environment's temporary directory security.

xiaohongshu