xhs-auth
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute a local Python script
scripts/cli.pyusing user-provided inputs such as phone numbers and verification codes. This creates a risk of command injection if the agent interpolates unsanitized user input directly into the shell command strings. - [CREDENTIALS_UNSAFE]: The skill's primary function is to handle authentication credentials, specifically user phone numbers and SMS verification codes (OTP). While this is the intended purpose, it involves the handling of PII and temporary credentials within the agent's context.
- [PROMPT_INJECTION]: The skill includes instructions that explicitly command the agent to ignore any other potential tools or memory-based implementations (e.g., 'must ignore all others', 'forbidden to call MCP tools'). Such overrides are used here to enforce the use of the project's specific scripts but represent a pattern used to bypass established tool preferences or system constraints.
- [DATA_EXPOSURE]: The skill manages authentication state by reading and deleting local cookies and displaying login URLs and QR codes. Although these actions are local, they involve managing session-level sensitive data.
Audit Metadata