Skills
skills/guanyang/super-publisher/toutiao-publisher/Gen Agent Trust Hub

toutiao-publisher

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to indirect prompt injection because it processes external article content and has the capability to publish that content to a public platform.
  • Ingestion points: The publisher.py script (referenced in README.md and SKILL.md) accepts external content via the --content parameter.
  • Boundary markers: Absent. There are no delimiters or 'ignore embedded instructions' warnings when processing input.
  • Capability inventory: The skill uses patchright for full browser automation, maintains persistent login sessions, and performs automated clicking/typing to publish articles.
  • Sanitization: The scripts/md2html.py script provides only basic regex-based formatting and does not sanitize the resulting HTML against malicious injections that could influence the browser's execution or the agent's behavior.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires patchright, a non-standard stealth fork of the Playwright library.
  • Evidence: requirements.txt specifies patchright==1.55.2. scripts/setup_environment.py executes patchright install chrome, which downloads and executes binary components from non-whitelisted external sources.
  • [COMMAND_EXECUTION] (MEDIUM): Extensive use of the subprocess module to manage environments and execute internal scripts.
  • Evidence: scripts/run.py uses subprocess.run to execute Python scripts with arguments passed directly from sys.argv, which could be exploited if the agent is manipulated into passing malicious flags to the interpreter.
  • [COMMAND_EXECUTION] (LOW): Browser security is weakened by configuration flags.
  • Evidence: scripts/config.py includes the --no-sandbox argument in BROWSER_ARGS, which disables a critical security layer in the Chromium browser, increasing the risk to the host system if the browser visits a malicious site during the automation flow.
  • [Metadata Poisoning] (MEDIUM): Significant documentation-code mismatch.
  • Evidence: scripts/publisher.py is identified as the 'Core Executor' in the README.md and SKILL.md, yet the file is missing from the provided skill package, preventing a full security audit of the most sensitive logic.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 12:29 AM