Tp4
High
- Category
- MCP Tool Poisoning
- Confidence
- 96% confidence
- Finding
- The skill claims publishing occurs only when the user explicitly requests it, but the documented implementation relies on an operator or agent choosing to invoke a separate publish script, with no code-level enforcement of user consent at publish time. Because publish_xhs.py can perform real authenticated posting using XHS_COOKIE and does not require an explicit consent artifact or interactive confirmation, an agent orchestration mistake, prompt injection, or unsafe wrapper could cause unauthorized posting to a real social-media account.
