makecontents
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions explicitly direct the agent to use
execwithcurlto interact with a local API (e.g.,http://localhost:3710/api/health). This grants the agent shell execution privileges, which is a significant security risk as it allows for potential execution of arbitrary commands on the host machine. - [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface by consuming untrusted data from external RSS feeds.
- Ingestion points: External content enters the agent context via the
/news/groupedand/news/agent-summaryendpoints as described inSKILL.mdandreferences/api.md. - Boundary markers: No delimiters or specific instructions are provided to help the agent distinguish between data and instructions within the feed content.
- Capability inventory: The agent can execute shell commands (
exec+curlinSKILL.md), write to local rule files (references/agent-rules.md), and send data to social media and messaging platforms (WeChat, Feishu, Xiaohongshu). - Sanitization: There is no evidence of content filtering or validation before the agent processes the feed data to generate content or update its operational rules.
- [DATA_EXFILTRATION]: The skill manages sensitive authentication data such as social media cookies and messaging API keys. While these are used to automate content posting, the agent's direct interaction with services using these credentials increases the risk of accidental or malicious data exposure.
Recommendations
- AI detected serious security threats
Audit Metadata