xiaohongshu-user-profile
Warn
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Unsafe shell command construction in SKILL.md. The instructions direct the agent to execute commands using
eval "$(python scripts/... {params})". Parameters such as{user_id}and{limit}are interpolated directly into the bash shell without quoting or validation, enabling arbitrary command injection if the input contains shell metacharacters (e.g.,$(...), backticks, or semicolons). - [COMMAND_EXECUTION]: JavaScript injection vulnerability in
scripts/extract-user-profile.py. The Python script generates JavaScript code by interpolating theuser_idargument directly into a single-quoted string literal:userId: '{args.user_id}'. An attacker providing a malicious user ID containing a single quote (e.g.,'; alert(1); //) can break out of the string and execute arbitrary JavaScript code within the user's browser session. - [PROMPT_INJECTION]: Indirect Prompt Injection Surface.
- Ingestion points: Untrusted data is ingested from
window.__INITIAL_STATE__onxiaohongshu.comprofile pages, including user nicknames, bios, and note titles. - Boundary markers: None. The skill does not use delimiters or instructions to ignore embedded commands in the scraped content.
- Capability inventory: The skill has access to browser controls via
browser-actand local shell execution via theevalpattern. - Sanitization: None. Data from the external website is returned to the agent as raw JSON without escaping or validation, allowing malicious content on a profile page to potentially influence the agent's behavior.
Audit Metadata