Skills
skills/redfox-data/redfox-community/xiaohongshu-account-analyzer/Gen Agent Trust Hub

xiaohongshu-account-analyzer

Warn

Audited by Gen Agent Trust Hub on Jun 12, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The Python script scripts/xiaohongshu_analyzer.py used by the skill explicitly disables SSL/TLS certificate verification. The code uses ssl.CERT_NONE and sets check_hostname = False when creating the SSL context for API requests. This creates a vulnerability where sensitive data, including the user's REDFOX_API_KEY, could be intercepted or modified by a Man-in-the-Middle (MITM) attacker during transmission to the vendor's infrastructure.
  • [EXTERNAL_DOWNLOADS]: The skill performs network operations to interact with the vendor's API at https://redfox.hk for querying account data and synchronizing notes. It also references images and resources from https://lyy.redfox.hk and well-known CDNs like jsdelivr.net. These are functional dependencies for the skill's data-driven diagnostics.
  • [DATA_EXFILTRATION]: The skill transmits the user's secret REDFOX_API_KEY to the vendor's server to authenticate requests. While this is the intended data flow for the service, the insecure transport configuration (disabling SSL verification) identified in the command execution analysis means this transmission of credentials is not properly secured.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It ingests untrusted data from the Xiaohongshu platform—such as user nicknames, signatures, and post descriptions—and interpolates this content into reports. This data is processed by the agent to generate diagnostic scores and optimization advice.
  • Ingestion points: Data fetched from external social media profiles via the redfox.hk API, saved into output/raw_data.json.
  • Boundary markers: The prompt templates in references/report_template.md do not utilize protective delimiters or instructions to prevent the agent from following malicious commands that might be embedded in the retrieved social media content.
  • Capability inventory: The agent possesses the capability to execute local scripts and perform web searches, which increases the potential impact of a successful injection.
  • Sanitization: There is no evidence of sanitization or filtering of the retrieved social media content before it is processed by the AI.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 12, 2026, 07:51 PM
Security Audit — agent-trust-hub — xiaohongshu-account-analyzer