xhs-note-creator
Warn
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill requires the user to provide an "XHS_COOKIE" in an ".env" file. This cookie contains session tokens that grant full access to the user's Xiaohongshu account. Evidence found in
publish_xhs.pyandpublish_xhs_browser.py. - [DATA_EXFILTRATION]: The script
scripts/publish_xhs.pyfeatures an "API mode" that sends the user's session cookie to a configurable server defined by theXHS_API_URLenvironment variable. While it defaults to localhost, this mechanism creates a vector for sending sensitive credentials to arbitrary network locations. - [EXTERNAL_DOWNLOADS]: The skill fetches browser binaries via the Playwright framework and loads external typography from Google Fonts (
fonts.googleapis.com) during the image rendering process. These are well-known services used for the skill's primary purpose. - [COMMAND_EXECUTION]: The skill's setup instructions require the execution of
playwright install chromiumto download and install browser components on the host system. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection as it processes untrusted user-provided Markdown content into HTML templates for rendering.
- Ingestion points: Markdown content provided by the user (processed in
scripts/render_xhs.pyandscripts/render_xhs.js). - Boundary markers: None identified in the prompt templates.
- Capability inventory: Network operations in
publish_xhs.pyand local file access through the Playwright browser engine. - Sanitization: Relies on standard Markdown-to-HTML conversion which may not strip all malicious payloads.
Audit Metadata