content-source-aggregator
Fail
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The script reads sensitive session information from local files to maintain authentication states for various web platforms.\n
- The file
scripts/fetch_all.pyattempts to read session cookies from~/.playwright-data/linuxdo/cookies.txt,~/.playwright-data/xiaohongshu/cookies.txt, and~/.playwright-data/sogou-weixin/cookies.txt.\n - These files contain highly sensitive authentication tokens that grant access to the user's accounts on these platforms.\n- [PROMPT_INJECTION]: The skill acts as an aggregator of untrusted content from multiple external platforms, creating a significant surface for indirect prompt injection attacks.\n
- Ingestion points: Data is fetched from X/Twitter, YouTube, Bilibili, GitHub, Reddit, LinuxDo, Douyin, Xiaohongshu, and WeChat using the
fetch_*functions inscripts/fetch_all.py.\n - Boundary markers: There are no markers or delimiters used in the output JSON format to distinguish between the fetched data and potential instructions, which could mislead downstream processing agents.\n
- Capability inventory: The skill has the ability to write files to the user's workspace using standard Python file I/O operations.\n
- Sanitization: The skill lacks any mechanism for sanitizing or filtering the content retrieved from external sources, meaning malicious instructions embedded in titles or summaries are saved directly to the 'hotpool' data file.
Recommendations
- AI detected serious security threats
Audit Metadata