The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill requires users to download and install pre-compiled binaries (xiaohongshu-mcp and xiaohongshu-login) from an untrusted third-party GitHub repository (github.com/xpzouying/xiaohongshu-mcp) as described in README.md and scripts/install-check.sh.
[DATA_EXFILTRATION]: The script scripts/start-mcp.sh copies sensitive session cookies from the user's home directory to /tmp/cookies.json. In multi-user environments, data in /tmp is often world-readable, potentially exposing the user's Xiaohongshu session to other local users.
[COMMAND_EXECUTION]: The skill frequently executes external commands and binaries. For example, scripts/start-mcp.sh launches the downloaded xiaohongshu-mcp binary, and scripts/track-topic.py uses subprocess.run to call shell scripts that interact with local services.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from Xiaohongshu posts and comments (e.g., in scripts/track-topic.py) and incorporates it into reports or document exports (Feishu). If an agent subsequently reads these reports, malicious instructions embedded in social media content could influence the agent's behavior.
Ingestion points: scripts/track-topic.py fetches search results and comments via the MCP tool.
Boundary markers: No specific delimiters or safety instructions are used to wrap the untrusted content in the generated Markdown reports.
Capability inventory: The skill can write files, download images, and export data to other tools like Feishu.
Sanitization: While scripts/export-long-image.py includes robust SSRF protection for image URLs, the text content from posts is not sanitized for injection patterns.

xiaohongshu