The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses subprocess.Popen in scripts/chrome_launcher.py to launch the Chrome browser with custom arguments. It also contains a path traversal vulnerability in scripts/account_manager.py where the add_account and remove_account functions use the user-supplied name parameter to construct directory paths (os.path.join(PROFILES_BASE, name)) without sanitization. This allows for the creation or deletion of directories in unauthorized locations on the host system.
[EXTERNAL_DOWNLOADS]: scripts/image_downloader.py and scripts/publish_pipeline.py fetch images and videos from arbitrary user-provided URLs. This is a core feature but could be leveraged for SSRF or to download malicious assets that are then uploaded to the target platform.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted data from Xiaohongshu (feeds, comments, and profile data).
Ingestion points: Functions like search-feeds, get-feed-detail, and get-notification-mentions in scripts/cdp_publish.py and scripts/feed_explorer.py retrieve content directly from the web.
Boundary markers: Absent. The agent is not instructed to use delimiters or ignore instructions within the retrieved content.
Capability inventory: The agent can execute shell commands (via the provided scripts), perform file system writes (logs, CSV exports, JSON configs), and has full network access.
Sanitization: No sanitization is performed on the data retrieved from Xiaohongshu before it is processed by the agent or written to local files.
[COMMAND_EXECUTION]: In scripts/cdp_publish.py, the skill uses innerHTML to populate the Xiaohongshu content editor with user-provided text. This presents a risk of HTML injection or DOM-based XSS within the automated browser session, potentially allowing a malicious prompt to manipulate the browser environment.

RedBookSkills