Skills
skills/aaaaqwq/agi-super-team/content-factory/Gen Agent Trust Hub

content-factory

Fail

Audited by Gen Agent Trust Hub on Mar 19, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill accesses sensitive authentication data stored in the user's home directory.
  • scripts/auto_publisher.py searches for and reads Playwright storage states and cookie files at ~/.playwright-data/xiaohongshu/state.json and ~/.xiaohongshu/cookies.json to authenticate with social media creators' platforms.
  • scripts/aggregator/fetch_all.py reads browser session cookies from ~/.playwright-data/linuxdo/cookies.txt, ~/.playwright-data/xiaohongshu/cookies.txt, and ~/.playwright-data/sogou-weixin/cookies.txt to scrape content from authenticated sessions.
  • scripts/topic_scorer.py and scripts/content_generator.py execute the pass command-line utility via subprocess.run to retrieve API keys from a local password manager (e.g., pass show api/deepseek).
  • [COMMAND_EXECUTION]: The skill makes extensive use of the subprocess module to execute system commands.
  • scripts/aggregator/fetch_all.py uses curl via subprocess to fetch data, bypassing standard Python HTTP libraries.
  • scripts/auto_publisher.py executes pkill to forcefully terminate browser processes.
  • Multiple scripts execute sys.executable to run other Python scripts within the package, creating a chain of subprocesses.
  • [EXTERNAL_DOWNLOADS]: The skill fetches data from several third-party and community-run APIs that are not well-known or trusted services.
  • scripts/aggregator/fetch_all.py relies on 60s.viki.moe for Weibo, Zhihu, and Toutiao hot-topic APIs.
  • It also uses pullpush.io for Reddit data collection.
  • [DATA_EXFILTRATION]: The skill combines reading sensitive local credential files (cookies and API keys) with making outbound network requests to various LLM providers and third-party APIs. This pattern creates a high risk of credential exfiltration if the target endpoints or the skill's logic are compromised.
  • [INDIRECT_PROMPT_INJECTION]: The skill has a high vulnerability surface for indirect prompt injection.
  • Ingestion points: scripts/aggregator/fetch_all.py ingests titles and summaries from 10+ external platforms (Bilibili, Weibo, Reddit, etc.).
  • Boundary markers: Absent. The data is interpolated directly into LLM prompts in scripts/topic_scorer.py and scripts/content_generator.py without delimiters or safety instructions.
  • Capability inventory: The skill can automatically publish content to Xiaohongshu (scripts/auto_publisher.py) and send notifications to Telegram (scripts/draft_reviewer.py).
  • Sanitization: No sanitization or validation is performed on the ingested titles before they are processed by the AI models.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 19, 2026, 07:47 AM