twitter-reader
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (HIGH): The skill presents a significant Indirect Prompt Injection surface (Category 8). It retrieves external, user-controlled content from Twitter/X and feeds it directly into the agent's context. Evidence Chain: 1. Ingestion points: The scripts fetch_tweet.py and fetch_tweets.sh ingest data from the r.jina.ai endpoint. 2. Boundary markers: Absent; the retrieved content is returned as a raw string without any structural delimiters to prevent the agent from interpreting data as instructions. 3. Capability inventory: The fetch_tweet.py script possesses file-writing capabilities (Path.write_text) and executes system commands via subprocess. 4. Sanitization: None; there is no filtering or escaping of the fetched markdown content.
- Command Execution (LOW): The skill relies on the system curl binary to perform network requests. While the Python implementation uses a list of arguments to mitigate shell injection, the bash script relies on variable quoting, which is a less robust defense against complex input strings.
Recommendations
- AI detected serious security threats
Audit Metadata