Oathe Security Badge

Is iamzifei/xiaohongshu-images-skill safe?

https://github.com/iamzifei/xiaohongshu-images-skill

92
SAFE

This is a legitimate skill for transforming content into styled images for Xiaohongshu social media platform. The skill includes well-documented functionality, professional code quality, and operates within its stated scope. The main concerns are the inclusion of executable Python code and dependency on an external skill, but both appear to serve legitimate purposes.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 95/100 · 5%

Findings (3)

MEDIUM Executable Python script included -10

The skill includes scripts/screenshot.py, an executable Python script using Playwright for browser automation. While the code appears legitimate for taking screenshots, executable scripts present potential security risks.

LOW External skill dependency -15

The skill declares a dependency on /baoyu-cover-image skill for generating cover images. This external dependency could potentially be a security vector if the dependent skill is compromised.

INFO Accesses user directories -5

The skill is designed to work with files in ~/Dev/obsidian/ directories and create output files in specific folder structures. This is clearly documented as part of its intended functionality.