Skills
skills/postplusai/postplus-skills/xiaohongshu-card-notes/Gen Agent Trust Hub

xiaohongshu-card-notes

Warn

Audited by Gen Agent Trust Hub on May 11, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The file _postplus_shared/00-core/shared-runtime/scripts/lib/postplus_cli_config.mjs reads and writes sensitive session tokens (cliSessionToken) to local configuration files located in platform-specific directories such as ~/.config/postplus/config.json or Library/Application Support/postplus.
  • [EXTERNAL_DOWNLOADS]: The script _postplus_shared/00-core/shared-runtime/scripts/download_videos_from_manifest_with_ytdlp.mjs is designed to download media content from arbitrary remote URLs provided in a manifest file using the yt_dlp utility.
  • [COMMAND_EXECUTION]: Multiple scripts perform shell command execution using the spawn module:
  • download_videos_from_manifest_with_ytdlp.mjs executes python3 -m yt_dlp with arguments derived from an input manifest.
  • _postplus_shared/00-core/shared-runtime/scripts/lib/large_credit_confirmation.mjs executes the postplus CLI tool (or a command specified via environment variables like POSTPLUS_CLI_BIN).
  • [DATA_EXFILTRATION]: The skill contains a comprehensive network runtime (_postplus_shared/00-core/shared-runtime/scripts/lib/network_runtime.mjs) and cloud client (_postplus_shared/00-core/shared-runtime/scripts/lib/postplus_cloud_client.mjs) that can send data to external endpoints, including the vendor's API base URL. This capability, combined with access to local session tokens, creates a risk for data exfiltration.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) as it is instructed to process untrusted HTML landing pages, scripts, and source materials. These materials could contain hidden instructions designed to influence the agent's behavior or exploit the available network and command execution tools.
  • Ingestion points: User-provided HTML files, spoken scripts, and markdown memos.
  • Boundary markers: None identified in the prompt instructions to isolate untrusted content.
  • Capability inventory: Subprocess execution (yt_dlp, postplus CLI), network operations (HTTP/HTTPS/Fetch), and file system writes.
  • Sanitization: No explicit sanitization of input HTML or script content is performed before processing.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 11, 2026, 01:13 PM