crawl-xueqiu-user-timeline
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell scripts to verify and configure the environment, including managing Chrome debug processes and installing the
agent-browserutility. - [COMMAND_EXECUTION]: The core logic in
crawl_xueqiu_user_timeline_api.pyexecutes theagent-browserCLI viasubprocess.run. Command parameters are safely constructed using numeric IDs extracted from URLs. - [EXTERNAL_DOWNLOADS]: During setup, the skill downloads Node.js (via Homebrew) and the
agent-browserNPM package from a reputable registry mirror. - [PROMPT_INJECTION]: The skill processes untrusted user data from an external social network, representing an indirect prompt injection surface.
- Ingestion points: Data is retrieved from Xueqiu's API via a browser-side fetch call in
crawl_xueqiu_user_timeline_api.py. - Boundary markers: The generated Markdown does not use specific delimiters or instructions to ignore embedded content.
- Capability inventory: The skill uses subprocess execution for browser automation and performs local file writes.
- Sanitization: The script utilizes regular expressions to strip HTML tags and decode common entities before saving content.
Audit Metadata