tweet-rl-tracker
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill utilizes the evaluate_script tool within the Chrome DevTools MCP to execute arbitrary JavaScript in the browser context. This allows the agent to scrape data and control the page, but also provides a mechanism for executing code that could interact with sensitive session data or perform unauthorized actions on websites.
- [COMMAND_EXECUTION]: The skill provides code snippets that perform local file system operations, specifically using fs.writeFileSync to save screenshot data to paths like /tmp. This allows the agent to write arbitrary data to the local disk.
- [DATA_EXFILTRATION]: The suggested workflow involves capturing screenshots of a browser session (which may include private data if logged in) and uploading them to external, third-party hosting services (temp file hosts, S3, Cloudinary). This poses a risk of exposing sensitive visual information to external entities.
- [PROMPT_INJECTION]: The skill processes content from untrusted external URLs (Twitter/X). This creates a surface for indirect prompt injection, where malicious content on a webpage could influence the agent's behavior.
- Ingestion points: Data is ingested from external URLs via new_page and evaluate_script.
- Boundary markers: No delimiters or instructions are used to separate untrusted web content from agent instructions.
- Capability inventory: The skill uses evaluate_script for JavaScript execution, take_screenshot, and fs.writeFileSync for file system access.
- Sanitization: Extracted metadata and tweet text are used without sanitization in subsequent Notion tool calls.
Audit Metadata