xiaohongshu-search

Warn

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructions direct the agent to execute a shell command that dynamically generates and evaluates JavaScript: eval "$(python scripts/extract-search.py --limit {limit})". This pattern of runtime code generation and evaluation increases the difficulty of auditing the skill and introduces a potential command injection surface via the {limit} parameter. Additionally, the instructions explicitly advise the agent not to inspect these scripts unless a failure occurs, which actively discourages security oversight.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its processing of untrusted data from an external website.
  • Ingestion points: Scraped data (including titles and nicknames) is extracted from window.__INITIAL_STATE__.search.feeds using a JavaScript snippet generated by scripts/extract-search.py.
  • Boundary markers: There are no boundary markers or instructions provided to the agent to distinguish this untrusted external data from system instructions.
  • Capability inventory: The skill utilizes the browser-act tool for browser manipulation and the bash tool for command execution, providing significant capabilities that could be abused if an injection is successful.
  • Sanitization: No sanitization or validation is performed on the extracted content before it is returned to the agent's context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 13, 2026, 04:39 AM
Security Audit — agent-trust-hub — xiaohongshu-search