xiaohongshu-creation-workflow
Warn
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to perform broad filesystem scans using shell commands such as
find ~anddir /sto dynamically locate sub-skills and configuration files. This discovery mechanism involves invasive filesystem operations across the user's home directory. - [PROMPT_INJECTION]: The skill includes a binary-encoded ZIP archive (
hand-drawn-infographic-updated.skill) that contains supplementary instructions and documentation (SKILL.md,design-guide.md). Embedding instructions in binary format obscures them from plain-text security audits and automated scanners. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests large amounts of untrusted user-provided content (e.g., articles for rewriting) to drive its internal analysis logic and image prompt generation without using boundary markers or sanitization.
- Ingestion points: User-provided text is saved to
source.mdand analyzed inanalysis.mdas part of the content creation workflow. - Boundary markers: Absent. No clear instructions are provided to the agent to treat the input as data only or to disregard any embedded instructions.
- Capability inventory: The skill has the ability to execute shell commands, manage local files, and call interactive user-facing tools.
- Sanitization: Absent.
- [EXTERNAL_DOWNLOADS]: The skill fetches styling assets and font resources from well-known public CDN services including jsDelivr, Cloudflare, and Google Fonts to generate HTML previews. These resources originate from established and reputable providers.
Audit Metadata