xiaohongshu

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt exposes parameters like "xsec_token" and refers to cookies, and its CLI examples show passing tokens as command-line arguments (e.g., post-detail.sh <note_id> <xsec_token>), which would require the agent to include secret values verbatim in generated commands/outputs — high exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). This is a third‑party GitHub repository from an unverified user containing shell scripts and installation steps that download/run binaries (headless browser); while not an immediate .exe/shortened-link red flag, executing scripts from an untrusted repo can run arbitrary code and is moderately-to-highly risky.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill directly fetches and ingests user-generated content from the public Xiaohongshu website (e.g., scripts/search.sh, recommend.sh, post-detail.sh and track-topic.py via mcp-call.sh, plus tools/xhs-downloader which extracts links from https://www.xiaohongshu.com), and then reads/comments/analyzes posts and comments to generate reports and AI memory, exposing the agent to untrusted third‑party content that could carry indirect prompt injection.