geo-agent
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill manages sensitive authentication data by reading and writing browser session cookies in the user's home directory (
~/.playwright-data/). These files provide persistent, authenticated access to platforms including Zhihu, Baijiahao, Sohu, and Toutiao. - [COMMAND_EXECUTION]: Utilizes the Playwright library to automate browser sessions, enabling the agent to navigate login-protected pages, interact with content editors, and execute JavaScript within the browser context to simulate human publishing behavior.
- [EXTERNAL_DOWNLOADS]: Downloads browser binaries (Chromium) during its initialization phase using the
playwright installcommand, which is a required step for its automation features. - [PROMPT_INJECTION]: The skill exhibits a vulnerability surface for indirect prompt injection because it incorporates scraped data from external sources into LLM prompts.
- Ingestion points: Scrapes article titles and abstracts from search engines (Baidu, Bing) in
scripts/competitor_research.pyand model responses from AI search platforms inscripts/index_checker.py. - Boundary markers: Scraped content is inserted into article templates in
scripts/article_generator.pyusing standard string interpolation without isolation delimiters or instructions to the LLM to disregard embedded commands. - Capability inventory: The skill can generate long-form articles and has automated write-access to multiple high-traffic content platforms via
scripts/publisher.py. - Sanitization: No sanitization or validation logic is applied to the ingested search results or AI responses before they are processed by the generative model.
Audit Metadata