xiaohongshu-search
Warn
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions direct the agent to execute a shell command that dynamically generates and evaluates JavaScript:
eval "$(python scripts/extract-search.py --limit {limit})". This pattern of runtime code generation and evaluation increases the difficulty of auditing the skill and introduces a potential command injection surface via the{limit}parameter. Additionally, the instructions explicitly advise the agent not to inspect these scripts unless a failure occurs, which actively discourages security oversight. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its processing of untrusted data from an external website.
- Ingestion points: Scraped data (including titles and nicknames) is extracted from
window.__INITIAL_STATE__.search.feedsusing a JavaScript snippet generated byscripts/extract-search.py. - Boundary markers: There are no boundary markers or instructions provided to the agent to distinguish this untrusted external data from system instructions.
- Capability inventory: The skill utilizes the
browser-acttool for browser manipulation and thebashtool for command execution, providing significant capabilities that could be abused if an injection is successful. - Sanitization: No sanitization or validation is performed on the extracted content before it is returned to the agent's context.
Audit Metadata