xiaohongshu-note-detail

Fail

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructions in SKILL.md utilize shell command substitution $(...) to execute Python scripts with unvalidated user input ({note_id}). A crafted note ID containing shell metacharacters (e.g., ;, &, or backticks) could lead to arbitrary command execution on the host machine running the agent.
  • [COMMAND_EXECUTION]: The scripts scripts/extract-note-detail.py and scripts/extract-note-comments.py interpolate the note_id parameter directly into a JavaScript code template. This creates a risk of JavaScript injection if the parameter contains characters that break out of the string literal (such as quotes or backslashes), allowing for unauthorized script execution in the context of the Xiaohongshu web page.
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it ingests untrusted content (Xiaohongshu comments) and returns it to the agent without sanitization. An attacker could place malicious instructions within a Xiaohongshu comment to influence the agent's subsequent actions.
  • Ingestion points: scripts/extract-note-comments.py extracts user-generated comment text from the DOM via Vue SSR state.
  • Boundary markers: Absent; the instructions do not specify the use of delimiters or warnings to ignore instructions embedded in the extracted data.
  • Capability inventory: The skill utilizes the bash tool for command execution and the browser-act tool for browser automation.
  • Sanitization: No validation, escaping, or filtering is performed on the extracted content before it is passed back to the agent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 13, 2026, 04:39 AM
Security Audit — agent-trust-hub — xiaohongshu-note-detail