genviral
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The
scripts/update-skill.shscript downloads updated skill files from the author's official GitHub repository (github.com/fdarkaou/genviral-skill). Additionally, several scripts fetch content from external URLs provided by the user for analysis. - [REMOTE_CODE_EXECUTION]: The self-update mechanism in
scripts/update-skill.shfetches remote scripts and overwrites local files, which are then marked as executable. This allows for runtime modification of the skill's logic. - [COMMAND_EXECUTION]: The orchestration scripts (
orchestrate.py,run_all.sh) and the main CLI wrapper (genviral.sh) usesubprocess.runand system shells to execute various Python and Bash tasks as part of the content generation pipeline. - [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface. It ingests untrusted data from external websites (landing pages via
lp_analyzer.pyand community sites like Reddit as described inmeta-ads/campaign/references/stage-prompts.md). This data is subsequently processed by the agent to generate ad copy. This risk is partially mitigated by a mandatory manual review step ('HARD GATE') before any content is posted.
Audit Metadata