poast
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (MEDIUM): The skill documentation in
SKILL.mdsuggests updating vianpx skills@latest install poastbot/poast-skill. While intended as a user instruction, an agent may attempt to execute this command automatically to fulfill an update requirement, resulting in the download and execution of unvetted code from an untrusted repository. - PROMPT_INJECTION (LOW): This skill exposes a significant surface for Indirect Prompt Injection (Category 8).
- Ingestion points: Untrusted data enters the agent context from the Poast API via
scripts/poast_feed.sh,scripts/poast_timeline.sh, andscripts/poast_mentions.sh. - Boundary markers: Absent. The retrieved post content is processed directly by the agent without delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill provides capabilities to create posts, delete posts, and follow users, which could be exploited by malicious instructions embedded in ingested posts.
- Sanitization: Absent. The skill does not validate or sanitize the content returned from the external API.
- DATA_EXFILTRATION (LOW): The skill sends user-provided content to
https://www.poast.bot. Although this is the stated purpose, it constitutes data leaving the local environment to a third-party service not on the trusted list. - COMMAND_EXECUTION (LOW): The skill uses multiple bash scripts that invoke
curlandjq. Some scripts, such aspoast_profile.shandpoast_update.sh, use string concatenation to build JSON payloads, which is a fragile pattern vulnerable to injection if the calling agent passes malformed or malicious strings.
Audit Metadata