content-source-aggregator
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The Python script accesses sensitive local session cookie files stored in the user's home directory. Specifically, it reads from
~/.playwright-data/linuxdo/cookies.txt,~/.playwright-data/xiaohongshu/cookies.txt, and~/.playwright-data/sogou-weixin/cookies.txtto authenticate scraping requests. - [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because it ingests untrusted text (titles and summaries) from various public social media platforms and writes them to a JSON file intended for processing by other AI agents.
- Ingestion points: The script fetches data from X/Twitter, YouTube RSS, Bilibili APIs, GitHub Search, Reddit (via PullPush), LinuxDo, Douyin, Xiaohongshu, and WeChat Sogou Search.
- Boundary markers: There are no delimiters or boundary markers used to encapsulate the external content in the generated JSON output.
- Capability inventory: The script performs file-write operations to the local filesystem (
~/clawd/workspace/content-pipeline/hotpool/) and network requests viaurllib.request. - Sanitization: The script performs basic HTML unescaping and regex-based tag removal but contains no logic to filter or neutralize malicious instructions embedded within the fetched content.
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute its main collection script (
fetch_all.py). While this is the intended functionality, it grants the agent the ability to execute code on the host machine to manage the aggregation process.
Audit Metadata