Trust Assessment
xhs-skill received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 2 critical, 1 high, 2 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Prompt Injection via Untrusted QR Code Text Output.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt Injection via Untrusted QR Code Text Output The skill explicitly instructs the LLM to extract and directly output the text content of a QR code (`<qr_text>`) to the user. If an attacker can manipulate the content of the QR code (e.g., by controlling the login page or intercepting the QR generation), they could embed malicious instructions within the QR text. The LLM, following its instructions, would then output these malicious instructions directly into the chat, potentially leading to prompt injection. Before outputting any untrusted text content, especially from external sources like QR codes, sanitize it to remove any potential LLM instructions or control characters. Alternatively, present the QR code as an image only, or require explicit user confirmation before processing its text content. | LLM | SKILL.md:49 | |
| CRITICAL | Command Injection via Unsanitized URL Interpolation The skill instructs the LLM to capture URLs from `agent-browser` (e.g., `CURRENT_URL`, `PROBE_FINAL_URL`) and then directly interpolate these values into a `node` command as arguments. If an `agent-browser` call returns a URL containing shell metacharacters (e.g., `http://example.com; rm -rf /`), and the LLM interpolates this string without proper escaping, it could lead to arbitrary command execution on the host system. Implement robust sanitization and escaping for all external or untrusted inputs before interpolating them into shell commands. Use a library or built-in shell features (e.g., `printf %q`) to properly quote or escape arguments. Ensure the LLM is instructed to use these safe interpolation methods. | LLM | SKILL.md:80 | |
| HIGH | Credential Harvesting Risk via Cookie Header Output The skill provides a command (`node ./bin/xhs-skill.mjs cookies to-header`) that prints the full `Cookie:` header string to standard output. While the skill does not explicitly instruct the LLM to send this output to the user, the default behavior of an LLM executing a command is to include its stdout in the response. A malicious user could easily prompt the LLM to execute this command and then exfiltrate sensitive session cookies, leading to account compromise. Avoid printing sensitive credentials like full cookie headers directly to standard output. If such information is needed for debugging or specific workflows, ensure it is logged to a secure, local file with restricted access, or masked before display. The LLM should be explicitly instructed never to output such sensitive data to the user chat. | LLM | SKILL.md:109 | |
| MEDIUM | Unpinned npm dependency version Dependency 'jsqr' is not pinned to an exact version ('^1.4.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/leeguooooo/xhs-skill/package.json | |
| MEDIUM | Supply Chain Risk: Unpinned Dependencies The `package.json` file uses caret (`^`) ranges for its dependencies (`jsqr`, `pngjs`, `qrcode-terminal`). This allows for automatic updates to minor and patch versions. While convenient, it introduces a supply chain risk where a malicious update to an upstream dependency could be automatically pulled into the skill, potentially introducing vulnerabilities or backdoors without explicit review. For security-sensitive skills, exact pinning of dependency versions is recommended. Pin all dependencies to exact versions (e.g., `"jsqr": "1.4.0"`) to ensure reproducibility and prevent unexpected changes from upstream. Regularly audit and manually update dependencies after verifying their integrity and security. | LLM | package.json:10 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/leeguooooo/xhs-skill/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/429cc1e4de77d5fa)
Powered by SkillShield