Skills
skills/cnife/my-scripts/crawl-xueqiu-my-timeline/Gen Agent Trust Hub

crawl-xueqiu-my-timeline

Warn

Audited by Gen Agent Trust Hub on Mar 12, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The setup script check-agent-browser.sh performs a global installation of the agent-browser package from a public NPM registry.
  • [EXTERNAL_DOWNLOADS]: The skill uses bunx in the PDF generation workflow, which downloads and executes the mdpdf package from the NPM registry at runtime.
  • [COMMAND_EXECUTION]: The check-cdp.sh script uses pkill to terminate existing Google Chrome processes, which is an intrusive operation used to restart the browser in debug mode.
  • [COMMAND_EXECUTION]: The Python crawling script uses subprocess.run to invoke the agent-browser CLI, passing it dynamically constructed JavaScript code for execution within the browser context.
  • [PROMPT_INJECTION]: The skill ingests and processes timeline data from the Xueqiu platform. Since this data is generated by external users and later analyzed by AI subagents, it serves as an entry point for indirect prompt injection attacks.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 12, 2026, 11:12 PM