trending-skills
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Metadata Poisoning (MEDIUM): The file
src/__init__.pycontains a docstring and metadata describing a completely different application ('AI Daily - AI资讯日报自动生成器') than the one stated in
SKILL.md('trending-skills'). This discrepancy suggests either a deceptive origin or poor maintenance practices that could mask malicious intent.\n- Insecure Browser Configuration (MEDIUM): Insrc/skills_fetcher.py, the Chromium browser is launched with the--no-sandboxand--disable-setuid-sandboxarguments. Disabling the browser sandbox is a dangerous practice that removes the primary layer of protection between the agent's environment and potentially malicious JavaScript on the scraped website.\n- Indirect Prompt Injection (LOW): The skill ingests untrusted data fromskills.shwhich is then formatted and presented to the agent.\n - Ingestion points: Content is fetched from external URLs in
src/detail_fetcher.pyandsrc/skills_fetcher.py.\n - Boundary markers: The skill lacks explicit delimiters or instructions to prevent the agent from interpreting fetched content (like 'Usage descriptions' or 'Rules') as instructions.\n
- Capability inventory: The skill executes local Python scripts, shell commands for installation, and manages a headless browser instance.\n
- Sanitization: Data is parsed via
BeautifulSoupto extract text, but there is no validation to filter out adversarial prompt instructions embedded in the external content.\n- External Downloads (LOW): Setup requiresplaywright install chromium --with-deps, which downloads binary browsers and system-level dependencies. While Playwright is a trusted library, downloading opaque binaries at runtime is a risk factor.\n- Data Exposure (LOW): The skill performs network requests toskills.sh. While necessary for the skill's primary purpose, this domain is not on the trusted whitelist.
Audit Metadata