em-social-content
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection due to the ingestion of untrusted external content combined with file-system write capabilities.
- Ingestion points:
SKILL.mdStep 1.1 (Inbox items) and Step 2 (URL Investigation) read data from potentially attacker-controlled sources (web pages and bookmarks). - Boundary markers: Absent. There are no delimiters or instructions to the agent to ignore embedded commands within the ingested content.
- Capability inventory: The skill has permissions to read files, write new files (Step 5), and move/rename files (Step 6) within the local directory defined in
.social-config.json. - Sanitization: Absent. The agent is instructed to "Investigate the URL" and "Extract content", which can lead to the execution of malicious instructions found in the fetched text.
- COMMAND_EXECUTION (MEDIUM): The skill automates file management tasks that could be abused if the agent is compromised via prompt injection.
- Evidence: Step 6 explicitly moves files (
Inbox/toProcessed/), which is a destructive operation (removal from source). Step 5 writes files with user-controlled or URL-controlled metadata (slugs and tags).
Recommendations
- AI detected serious security threats
Audit Metadata