xiaohongshu-ops
Pass
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The file Openclaw一键安装.md contains a bash script that downloads and executes the NVM installer directly via curl piped to bash. This pattern of executing remote scripts is a common vector for code injection, although the specific source is a well-known tool repository.\n- [COMMAND_EXECUTION]: The skill uses shell commands to configure the environment, install global Node.js dependencies, and manage the Openclaw gateway service. It also executes JavaScript through the evaluate function to scrape data and interact with web elements.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted data from an external platform.\n
- Ingestion points: The agent extracts information such as note titles and user comments from Xiaohongshu, as described in references/xhs-home-feed-analysis.md and references/xhs-comment-ops.md.\n
- Boundary markers: The system lacks explicit delimiters or instructions to the LLM to ignore potentially malicious directions found within the scraped data.\n
- Capability inventory: The agent has access to browser-level actions (type, click, upload), JavaScript execution, and the ability to write records to a local knowledge base directory.\n
- Sanitization: The skill does not implement visible sanitization or validation protocols for the external content it processes.\n- [EXTERNAL_DOWNLOADS]: The skill facilitates the download and installation of external tools and packages from GitHub and the NPM registry.
Audit Metadata