xiaohongshu-note-detail
Fail
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions in
SKILL.mdutilize shell command substitution$(...)to execute Python scripts with unvalidated user input ({note_id}). A crafted note ID containing shell metacharacters (e.g.,;,&, or backticks) could lead to arbitrary command execution on the host machine running the agent. - [COMMAND_EXECUTION]: The scripts
scripts/extract-note-detail.pyandscripts/extract-note-comments.pyinterpolate thenote_idparameter directly into a JavaScript code template. This creates a risk of JavaScript injection if the parameter contains characters that break out of the string literal (such as quotes or backslashes), allowing for unauthorized script execution in the context of the Xiaohongshu web page. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it ingests untrusted content (Xiaohongshu comments) and returns it to the agent without sanitization. An attacker could place malicious instructions within a Xiaohongshu comment to influence the agent's subsequent actions.
- Ingestion points:
scripts/extract-note-comments.pyextracts user-generated comment text from the DOM via Vue SSR state. - Boundary markers: Absent; the instructions do not specify the use of delimiters or warnings to ignore instructions embedded in the extracted data.
- Capability inventory: The skill utilizes the
bashtool for command execution and thebrowser-acttool for browser automation. - Sanitization: No validation, escaping, or filtering is performed on the extracted content before it is passed back to the agent.
Recommendations
- AI detected serious security threats
Audit Metadata