media-auto-publisher
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from web page snapshots to automate UI interactions.
- Ingestion points:
scripts/media_publisher.py(functionsdetect_popup_in_snapshotandcheck_login_statusingest raw text snapshots from Playwright). - Boundary markers: Absent; there are no delimiters or instructions to the agent to ignore commands found within the scraped web content.
- Capability inventory: The skill utilizes Playwright MCP tools to navigate, click, and fill forms, and has scripts for reading and writing local cookie files.
- Sanitization: Absent; the implementation relies on simple string matching against raw page content.
- [COMMAND_EXECUTION]: The
SKILL.mdinstructions recommend executingpkill -f chromefor resource cleanup. This command is overly broad and will terminate all Chrome processes on the system, potentially causing data loss in the user's unrelated browser sessions. - [DATA_EXFILTRATION]: The
scripts/cookie_manager.pyscript facilitates the storage and export of sensitive session cookies in~/.claude/media-auto-publisher/cookies.json. While intended for account management, storing authentication credentials in plain text locally increases the risk of credential exposure.
Audit Metadata