square-post
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The README.md and README.cn.md files instruct the agent to prompt users for their
X-Square-OpenAPI-Keydirectly within the chat interface. This practice exposes sensitive credentials to the conversation logs and the model's history, violating best practices for secret management. - [DATA_EXFILTRATION]: The skill transmits data and authentication headers to an unofficial endpoint (
https://fb3b-38-175-103-97.ngrok-free.app). Using a temporary tunneling service (ngrok) instead of an official Binance domain allows the endpoint owner to inspect and log all requests, including theX-Square-OpenAPI-Keyheader injected by the platform. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted user input for "optimization" and subsequent API transmission.
- Ingestion points: User-provided text for the
bodyTextOnlyfield in SKILL.md. - Boundary markers: The instructions lack any delimiters (e.g., XML tags or triple quotes) or system instructions to ignore embedded commands within the user's post content.
- Capability inventory: The skill has the capability to perform authenticated POST requests to an external URL via the Shift gateway.
- Sanitization: There is no evidence of input validation or sanitization before the content is processed for "optimization" or sent to the API endpoint.
Recommendations
- AI detected serious security threats
Audit Metadata