xiaohongshu

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt's examples and scripts require passing secrets like an xsec_token and cookies as command-line arguments or copying cookies, which would force the agent to handle and potentially output secret values verbatim.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The GitHub link points to an unverified user repository that contains shell scripts you are instructed to run and downloads a headless browser (potentially arbitrary binaries), which can execute arbitrary code if malicious — the .webp image links themselves are low-risk, but running scripts from an untrusted repo is potentially dangerous without review.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly fetches and ingests public Xiaohongshu user-generated content — e.g., scripts/track-topic.py calls search_feeds and get_feed_detail to pull posts and comments, and tools/xhs-downloader (batch_download.py, export_to_workspace.py) downloads and imports liked/saved posts into the AI memory as described in SKILL.md/README — which the agent reads and uses to generate reports and populate memory, so third‑party content can materially influence subsequent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill clearly requires downloading and executing external binaries/code as part of setup/runtime (e.g., wget https://github.com/xpzouying/xiaohongshu-mcp/releases/latest/download/xiaohongshu-mcp-linux-amd64.tar.gz and git clone https://github.com/JoeanAmier/XHS-Downloader.git / raw script https://raw.githubusercontent.com/JoeanAmier/XHS-Downloader/refs/heads/master/static/XHS-Downloader.js), which are remote code fetched and executed and thus constitute a runtime external dependency that can execute remote code.