xhs-explore
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains instructions that attempt to override the agent's behavior by explicitly telling it to ignore other tools and previous project implementations (e.g., xiaohongshu-mcp). This is a tactic used to force adherence to specific skill logic over the agent's broader capabilities or knowledge.
- [COMMAND_EXECUTION]: The skill relies on executing a local Python script (scripts/cli.py) with various command-line arguments to perform searches and fetch data. This utilizes the agent's ability to execute shell commands.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it fetches and analyzes content from Xiaohongshu, such as note descriptions and user comments, which are attacker-controlled external inputs.
- Ingestion points: Note content, interaction data, and comments fetched from Xiaohongshu via the CLI tool.
- Boundary markers: No delimiters or warnings to ignore embedded instructions are specified in the workflow.
- Capability inventory: Execution of local Python scripts with dynamic parameters.
- Sanitization: No evidence of sanitization or filtering of the external data before it is processed by the agent.
Audit Metadata