baoyu-danger-x-to-markdown
Warn
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: In
scripts/cookies.ts, the skill identifies and executes a local browser binary (Chrome, Chromium, or Edge) with a remote debugging port enabled. This is used to programmatically extract authentication cookies via the Chrome DevTools Protocol (CDP). - [CREDENTIALS_UNSAFE]: The skill manages sensitive X authentication data. It reads tokens from environment variables (
X_AUTH_TOKEN,X_CT0) and persists them to a local JSON file (cookies.json) in the user's application support directory. - [EXTERNAL_DOWNLOADS]: The skill fetches media assets (images and videos) from X.com's well-known media servers (
pbs.twimg.com,video.twimg.com) to save them locally. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it retrieves and processes arbitrary content from X.com.
- Ingestion points: Data enters the context via
scripts/graphql.ts, which fetches tweet and article text from external API responses. - Boundary markers: Absent. The resulting markdown does not use delimiters to clearly isolate untrusted content from the agent's instructions.
- Capability inventory: Subprocess execution (browser spawning), file system read/write access, and network operations.
- Sanitization: Absent. Text retrieved from X.com is formatted into markdown without being sanitized for potential instructions that could influence agent behavior.
Audit Metadata