xiaohongshu-creation-workflow

Warn

Audited by Gen Agent Trust Hub on Mar 23, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to perform broad filesystem scans using shell commands such as find ~ and dir /s to dynamically locate sub-skills and configuration files. This discovery mechanism involves invasive filesystem operations across the user's home directory.
  • [PROMPT_INJECTION]: The skill includes a binary-encoded ZIP archive (hand-drawn-infographic-updated.skill) that contains supplementary instructions and documentation (SKILL.md, design-guide.md). Embedding instructions in binary format obscures them from plain-text security audits and automated scanners.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests large amounts of untrusted user-provided content (e.g., articles for rewriting) to drive its internal analysis logic and image prompt generation without using boundary markers or sanitization.
  • Ingestion points: User-provided text is saved to source.md and analyzed in analysis.md as part of the content creation workflow.
  • Boundary markers: Absent. No clear instructions are provided to the agent to treat the input as data only or to disregard any embedded instructions.
  • Capability inventory: The skill has the ability to execute shell commands, manage local files, and call interactive user-facing tools.
  • Sanitization: Absent.
  • [EXTERNAL_DOWNLOADS]: The skill fetches styling assets and font resources from well-known public CDN services including jsDelivr, Cloudflare, and Google Fonts to generate HTML previews. These resources originate from established and reputable providers.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 23, 2026, 08:43 AM
Security Audit — agent-trust-hub — xiaohongshu-creation-workflow