chirp
Fail
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: HIGHPROMPT_INJECTIONNO_CODE
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill provides a significant attack surface for indirect prompt injection due to its core functionality.\n
- Ingestion points: Untrusted external data is ingested through the
browser action=snapshotcommand while viewingx.compages (SKILL.md).\n - Boundary markers: There are no instructions or boundary markers defined to isolate external data from the agent's internal instruction set.\n
- Capability inventory: The skill grants the agent the ability to perform write operations and UI interactions using
browser action=act, including posting tweets and replying (SKILL.md).\n - Sanitization: The skill does not implement or describe any sanitization, filtering, or validation of the content retrieved from the browser before processing.\n- [Metadata Poisoning] (LOW): The metadata references an external GitHub repository (
github.com/zizi-cat/chirp). While the repository is not in the trusted source list, no direct injection or malicious patterns were identified in the metadata fields themselves.\n- [No Code] (INFO): The skill consists entirely of markdown instructions and metadata, with no executable scripts or local code files, which limits the risk of traditional malware but focuses risk on prompt logic and tool usage.
Recommendations
- AI detected serious security threats
Audit Metadata