Fail
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documentation instructs users to execute 'security unlock-keychain ~/Library/Keychains/login.keychain-db'. This command unlocks the macOS system keychain, potentially exposing all stored passwords and secrets to the environment.
- [EXTERNAL_DOWNLOADS]: The skill automatically attempts to install an external binary using 'uv tool install twitter-cli'. This package is maintained by an unverified third-party author ('jackwener') and is not part of the trusted vendors list.
- [DATA_EXFILTRATION]: The core functionality relies on the automatic extraction of browser session cookies (authentication tokens) from browsers like Chrome, Edge, and Firefox. This involves reading sensitive user data directly from local storage.
- [PROMPT_INJECTION]: The skill processes untrusted content from Twitter (search results, feeds). There are no boundary markers or sanitization steps documented to prevent indirect prompt injection from malicious tweet content.
- Ingestion points: 'twitter feed', 'twitter search', and 'twitter user-posts' commands in SKILL.md.
- Boundary markers: None present in the prompt instructions.
- Capability inventory: Capability to execute shell commands ('twitter'), install tools ('uv'), and write to the filesystem ('-o FILE') in SKILL.md.
- Sanitization: No sanitization or escaping of external content is specified before passing data to the agent.
Recommendations
- AI detected serious security threats
Audit Metadata