xiaohongshu-user-profile

Warn

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Unsafe shell command construction in SKILL.md. The instructions direct the agent to execute commands using eval "$(python scripts/... {params})". Parameters such as {user_id} and {limit} are interpolated directly into the bash shell without quoting or validation, enabling arbitrary command injection if the input contains shell metacharacters (e.g., $(...), backticks, or semicolons).
  • [COMMAND_EXECUTION]: JavaScript injection vulnerability in scripts/extract-user-profile.py. The Python script generates JavaScript code by interpolating the user_id argument directly into a single-quoted string literal: userId: '{args.user_id}'. An attacker providing a malicious user ID containing a single quote (e.g., '; alert(1); //) can break out of the string and execute arbitrary JavaScript code within the user's browser session.
  • [PROMPT_INJECTION]: Indirect Prompt Injection Surface.
  • Ingestion points: Untrusted data is ingested from window.__INITIAL_STATE__ on xiaohongshu.com profile pages, including user nicknames, bios, and note titles.
  • Boundary markers: None. The skill does not use delimiters or instructions to ignore embedded commands in the scraped content.
  • Capability inventory: The skill has access to browser controls via browser-act and local shell execution via the eval pattern.
  • Sanitization: None. Data from the external website is returned to the agent as raw JSON without escaping or validation, allowing malicious content on a profile page to potentially influence the agent's behavior.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 13, 2026, 04:39 AM
Security Audit — agent-trust-hub — xiaohongshu-user-profile