xiaohongshu-write
Pass
Audited by Gen Agent Trust Hub on Jun 12, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches trending Xiaohongshu note data from the RedFox API at
https://redfox.hk/story/api/xhs/search/search. This is a core part of its documented functionality to provide data-driven insights from the vendor's own platform. - [COMMAND_EXECUTION]: The provided Python script generates an HTML analysis report (e.g.,
keyword_热门数据.html) and saves it to the local filesystem. This is an intended feature to allow users to review the source data used for content generation. - [DATA_EXFILTRATION]: User-provided keywords and the
REDFOX_API_KEYare sent to the RedFox API to retrieve relevant data. This represents normal operational data flow for the service. - [PROMPT_INJECTION]: The skill processes external data returned from the RedFox API, creating a surface for indirect prompt injection. However, this is inherent to the skill's purpose and the risk is considered negligible given the specific use case.
- Ingestion points: API response processed in
scripts/fetch_xhs_hot_articles.py - Boundary markers: Absent
- Capability inventory: Local file system writes (HTML reports), web search via
web_searchtool - Sanitization: Title and description data is escaped when generating HTML reports to prevent XSS
Audit Metadata