xhs

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). Yes — the prompt explicitly instructs the agent to read local user memory files (~/.claude/projects/*/memory/) to personalize notes, which is outside the stated purpose of extracting and saving a post and thus constitutes deceptive/unnecessary data-access instructions.

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to read the user's exported Chrome cookies (~/cookies.json) and construct a Cookie header (cookie_str) that is then inserted verbatim into HTTP requests, which requires the agent to handle and could expose secret cookie values.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches Xiaohongshu post pages (requests to the user-provided Xiaohongshu URL using exported cookies) and parses window.INITIAL_STATE to ingest user-generated social-media content which the agent must read and use to produce judgments and follow-up outputs, so third-party page content can directly influence actions.