news-daily
Fail
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's core functionality involves ingesting untrusted data from external web sources which is then processed by an LLM and outputted to high-privilege communication channels (Telegram/WhatsApp).
- Ingestion Points:
scripts/news-fetcher.sh,scripts/fetch_news.py, and modular fetchers inscripts/fetchers/(huxiu, youtube, wechat) fetch titles, summaries, and full text from external URLs. - Boundary Markers: The summarization prompt in
scripts/news-summarizer.mdlacks robust delimiters or explicit instructions to treat fetched content as data only, making it vulnerable to embedded instructions within news articles. - Capability Inventory: The skill utilizes
web_fetch,web_search, and themessagetool (for Telegram/WhatsApp delivery). - Sanitization: No evidence of sanitization or filtering of fetched content before it is interpolated into the summarization prompt.
- Persistence (LOW):
scripts/cron-setup.shandscripts/news-daily/INSTALL.mdprovide instructions and scripts to create cron jobs. While this is the intended functionality for scheduled news, it establishes a persistence mechanism on the host system. - External Dependencies (LOW): The documentation recommends installing
yt-dlpandjqvia system package managers or pip. These are well-known tools, but they represent external code that is required for full v2 functionality.
Recommendations
- AI detected serious security threats
Audit Metadata