coo-social-media
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Dynamic Execution (MEDIUM): The skill utilizes
mcp__playwright__playwright_evaluateto run arbitrary JavaScript within the browser. While the documented use is for UI actions like scrolling, this tool allows for the execution of any script against the DOM and browser session, presenting a risk of unauthorized actions or session hijacking if the agent is misled. - Indirect Prompt Injection (LOW): The skill is designed to ingest and process data from external, attacker-controllable sources.
- Ingestion points: Web page content and social media comments are retrieved via
mcp__playwright__playwright_get_visible_textandmcp__playwright__playwright_get_visible_html. - Boundary markers: Absent. There are no instructions or delimiters provided to ensure the agent ignores malicious instructions embedded within the scraped social media content.
- Capability inventory: High. The skill has permissions to navigate to creator dashboards, fill forms, and click buttons to publish or modify content.
- Sanitization: Absent. The skill does not perform any validation or escaping on the retrieved web content before processing it for analysis or response generation.
- Data Exposure (LOW): The skill targets sensitive administrative pages (e.g.,
creator.xiaohongshu.com,mp.weixin.qq.com). By capturing screenshots and full HTML, the skill places sensitive business metrics and potentially user PII into the LLM context, increasing the risk of exposure.
Audit Metadata