xiaohongshu-prohibited-word
Warn
Audited by Gen Agent Trust Hub on Jun 12, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXPOSURE]: The script
scripts/check_sensitive_words.pyimplements a routine_get_api_key()that scans several sensitive local shell configuration files (~/.zshrc, ~/.bashrc, ~/.bash_profile, ~/.profile, ~/.zprofile) to locate the REDFOX_API_KEY. Accessing these files can expose other environment variables or secrets stored in the user's shell profiles. - [DATA_EXFILTRATION]: The skill sends text content provided by the user (or extracted from files and URLs) to the external endpoint
https://redfox.hk/story/api/cozeSkill/sensitiveWordSearchfor processing. While this is the stated purpose of the skill, it involves the transmission of potentially sensitive user data to a third-party domain. - [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
playwrightlibrary and the execution ofplaywright install chromium, which downloads and installs the Chromium browser binary into the execution environment. - [COMMAND_EXECUTION]: The core workflow instructs the agent to create and write optimization results to local text files (e.g.,
./小红书_优化文案_*.txt) using file system operations. - [INDIRECT_PROMPT_INJECTION]: The skill possesses a broad ingestion surface for untrusted data, including local files (DOCX, TXT, CSV, MD) and remote web pages via the
extract_from_webfunction. - Ingestion points:
extract_from_fileandextract_from_webinscripts/check_sensitive_words.py. - Boundary markers: No explicit instruction delimiters or boundary markers are used when processing the extracted text.
- Capability inventory: The agent can write files to the local disk and perform network requests to the vendor's API.
- Sanitization: The script uses
BeautifulSoupto strip HTML tags from web content, but the extracted plain text is passed directly to the detection logic without further instruction-stripping filters.
Audit Metadata