media-auto-publisher
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill implements a workflow that parses text from external web pages to automate UI interactions, creating a surface for indirect prompt injection.
- Ingestion points: Page snapshots and text content retrieved from third-party social media platforms (processed in
scripts/media_publisher.pyandscripts/platform_navigator.py). - Boundary markers: The scripts lack delimiters or specialized instructions to prevent the agent from potentially obeying instructions that might be embedded in the text of the page snapshots.
- Capability inventory: The skill is designed to work with Playwright MCP tools which possess capabilities to navigate browsers, click elements, and fill forms.
- Sanitization: There is no evidence of filtering or sanitization of the text retrieved from page snapshots before it is used to identify automation targets.
- [CREDENTIALS_UNSAFE]: The skill manages authentication by storing sensitive session cookies in a local JSON file.
- Evidence:
scripts/cookie_manager.pyreads and writes session data to~/.claude/media-auto-publisher/cookies.json. - Context: While this storage is central to the skill's purpose of account switching, it involves storing plaintext session tokens on the local filesystem, which could be exposed if the local environment is compromised.
Audit Metadata