Skills
NYC
skills/aidotnet/moyucode/x-report-generator/Gen Agent Trust Hub

x-report-generator

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The skill relies on an external script scripts/x_report_generator.py that is not provided for review. Executing unverified local scripts allows for arbitrary code execution on the host system.
  • [CREDENTIALS_UNSAFE] (HIGH): The usage instructions explicitly guide users to store and pass session cookies (cookies.json) for authentication. This creates a high risk of credential theft if the script is malicious or if the host environment is compromised.
  • [EXTERNAL_DOWNLOADS] (HIGH): The skill requires downloading external binaries (playwright install chromium) and references an untrusted GitHub repository (AmineDiro/twitter-scraper). This falls outside the [TRUST-SCOPE-RULE].
  • [PROMPT_INJECTION] (MEDIUM): As an 'Indirect Prompt Injection' vector (Category 8), the skill ingests untrusted data from X (Twitter). This data is processed for sentiment analysis and report generation; without sanitization, an attacker could embed malicious instructions in tweets to manipulate the agent's reasoning or report output.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 06:00 AM