xiaoyue-companion
Fail
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: A specific hardcoded API key (cztei_qHZQ0A5OSJjsmfZWmVb8bqu2BTbtB240YGbDYLhZpsIr8jER4aL4Aevyii8rnKfNs) was discovered in 'skills/video-frame-extractor/video-frame-extractor/SKILL.md'.
- [EXTERNAL_DOWNLOADS]: Content publishing features in 'skills/wechat-hotspot-publisher/wechat-hotspot-publisher/SKILL.md' and 'skills/wechatsync-publisher/wechatsync-publisher/SKILL.md' transmit data to a private infrastructure using hardcoded IP address '39.108.254.228' over an insecure HTTP connection.
- [REMOTE_CODE_EXECUTION]: Automated setup scripts in 'skills/chrome-automation/chrome-automation/scripts/auto-install-mac.sh' execute remote code by piping the Rust toolchain installer directly from 'https://sh.rustup.rs' into the shell.
- [COMMAND_EXECUTION]: Extensive use of shell commands via 'subprocess.run', 'subprocess.Popen', and 'execSync' across multiple modules for media processing (FFmpeg, ImageMagick), clipboard management, and browser automation.
- [PROMPT_INJECTION]: The skill possesses a significant attack surface for indirect prompt injection as it ingests arbitrary external data from URLs and PDFs via 'baoyu-url-to-markdown' and 'paper-analysis-assistant' while maintaining high-privilege execution capabilities.
- [DATA_EXFILTRATION]: User content and publishing metadata are sent to external, non-whitelisted IP-based endpoints over unencrypted protocols.
Recommendations
- HIGH: Downloads and executes remote code from: https://sh.rustup.rs - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata