social-inbox
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
social-inbox.mjsscript executes shell commands usingexecSyncwhere the search query is passed inside a shell command string. WhileJSON.stringifyis used on the query, it does not escape shell-active characters such as$()or backticks. This allows an attacker to execute arbitrary commands if they can influence the search term or if the search term is derived from malicious external content. Evidence: TherunTwitterApifunction insocial-inbox.mjspasses the search command string directly toexecSync. - [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by fetching mentions and search results from X/Twitter and presenting them to the agent for processing. 1. Ingestion points: Untrusted tweet content is fetched in
social-inbox.mjsvia thementionsandsearchcommands. 2. Boundary markers: The output JSON filesocial-inbox.jsondoes not use delimiters or instructions to warn the agent about potentially malicious content within the tweet text. 3. Capability inventory: The skill usesexecSyncto run local scripts, and the agent's instructions inSKILL.mdencourage it to read the inbox and draft replies, creating a path for malicious instructions in tweets to influence agent actions. 4. Sanitization: There is no evidence of sanitization or filtering of the tweet text before it is saved to the inbox and read by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata