observing-atproto
Warn
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (MEDIUM): The skill is vulnerable to Indirect Prompt Injection. It ingests large volumes of untrusted data from the ATProtocol firehose and social media feeds. 1. Ingestion points: Data is pulled from wss://jetstream2.us-east.bsky.network/subscribe and public APIs. 2. Boundary markers: Absent. No delimiters are used to separate untrusted content from instructions. 3. Capability inventory: Observations are recorded via tools.cognition, feeding summarized content into the agent's reasoning loop. 4. Sanitization: Absent. The code does not filter or sanitize text from external posts.
- [COMMAND_EXECUTION] (LOW): The documentation suggests executing local scripts (tools.firehose and tools.cognition) using the uv tool. This relies on the security of those pre-existing local scripts.
Audit Metadata