xiaohongshu

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's examples and CLI usage require passing sensitive values like <xsec_token> and cookies as direct command-line arguments (e.g., post-detail.sh <feed_id> <xsec_token>), which forces the agent to include secret values verbatim in generated commands/outputs.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The GitHub repo is a third‑party project from an unknown user that contains shell scripts and automated downloads (potentially executable or fetching binaries) which should be reviewed before running, while the .webp image links are low risk — together they present a moderate chance of being used to distribute malware if you execute unreviewed scripts or follow automatic installer steps.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly fetches and ingests user-generated content from the public Xiaohongshu site (via MCP tools like search_feeds and get_feed_detail in scripts/mcp-call.sh and track-topic.py) and via the XHS-Downloader/Tampermonkey flow (tools/xhs-downloader/README.md and batch_download.py), and that content is parsed and used to generate reports and trigger follow-up actions, so untrusted third‑party content can influence agent behavior.