xiaohongshu-notes
Pass
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill includes a utility script
_postplus_shared/00-core/shared-runtime/scripts/download_videos_from_manifest_with_ytdlp.mjsthat can download media from external URLs using theyt-dlplibrary based on a manifest. - [COMMAND_EXECUTION]: Subprocesses are used to run
python3(for media processing) and the vendor's CLI tool (postplus) for administrative tasks such as billing confirmation and capability execution. - [DATA_EXFILTRATION]: Shared scripts access local configuration files to retrieve session tokens, which are sent to the vendor's API endpoints for authentication. This is standard behavior for vendor-integrated skills.
- [PROMPT_INJECTION]: The skill processes raw user material (fragments, drafts), which represents an indirect prompt injection attack surface.
- Ingestion points: User-provided drafts and scattered thoughts processed according to
SKILL.md. - Boundary markers: Absent; instructions do not specify the use of delimiters to isolate untrusted user input.
- Capability inventory: Includes network operations, file system access, and subprocess execution via shared libraries.
- Sanitization: No explicit sanitization or filtering of the source material is implemented.
Audit Metadata