trends-bulletin
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [SAFE]: No malicious patterns or obfuscation techniques were detected. The skill logic is consistent with its stated purpose of trend aggregation.\n- [EXTERNAL_DOWNLOADS]: Fetches data from well-known services including HuggingFace, GitHub, Hacker News, Product Hunt, Reddit, and YouTube using official or public APIs.\n- [DATA_EXFILTRATION]: Sends collected trend summaries to xAI for analysis and Telegram for messaging. These operations target well-known services and are core to the skill's primary functionality.\n- [PROMPT_INJECTION]: The skill processes untrusted text from external platforms (e.g., Reddit post titles) through an LLM to generate summaries, which creates a surface for indirect prompt injection.\n
- Ingestion points: Trending data is pulled from 6 platforms in scripts/main.ts.\n
- Boundary markers: No explicit delimiters are used in the analysis prompt to separate external data from system instructions.\n
- Capability inventory: Network access via fetch to Telegram and xAI APIs.\n
- Sanitization: No sanitization of ingested strings is performed before processing.
Audit Metadata