weibo-hot-search
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION] (HIGH): The script
scripts/browser-use.pytakes a user-provided string directly from the command line and passes it as a task to a remote browser agent viaagent.browser.execute_task. This is a classic injection surface where malicious instructions could hijack the agent's behavior. - Ingestion points:
scripts/browser-use.py(viaargs.taskfrom CLI). - Boundary markers: Absent. The task string is passed as-is to the agent without delimiters or safety framing.
- Capability inventory: Full browser interaction, navigation, and vision capabilities in a remote session (
image_id='browser_latest'). - Sanitization: Absent. No filtering or validation of the task instructions is performed before execution.
- [CREDENTIALS_UNSAFE] (HIGH): The
get_api_keyfunction inscripts/browser-use.pyautomatically writes theAGENTBAY_API_KEYenvironment variable to a plaintext file at~/.config/agentbay/api_key. This exposes the user's API credentials to any other process or user with access to the home directory. - [COMMAND_EXECUTION] (MEDIUM): The skill facilitates the execution of complex browser automation tasks. While the execution happens in a remote 'AgentBay' environment, the lack of constraints on the
taskparameter allows it to be used for arbitrary browser-based activities beyond the stated purpose of Weibo scraping. - [METADATA_POISONING] (LOW): The skill instructions in
SKILL.mdexplicitly tell the agent '不需要创建新的脚本' (no need to create new scripts) and to use the providedbrowser-use.py. While technically a constraint, it directs the agent toward an execution path that handles unvalidated input.
Recommendations
- AI detected serious security threats
Audit Metadata