x-scraper
Fail
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Python Code Injection in
scrape_x_user.sh. The script constructs a Python command by interpolating the$USERNAMEand$KEYWORDbash variables directly into a command string:python3 -c "... quote('from:${USERNAME} ${KEYWORD}'))". A malicious input could break out of the string quotes and execute arbitrary Python code on the host system. - [COMMAND_EXECUTION]: JavaScript Injection in
scrape_x_user.sh. The$USERNAMEvariable is interpolated into a JavaScript snippet executed within the browser context viaagent-browser eval:.includes('$USERNAME'). An attacker-controlled username could break the script logic or execute arbitrary JavaScript within the authenticated browser session. - [PROMPT_INJECTION]: Indirect Prompt Injection Surface.
- Ingestion points:
scrape_x_home.shandscrape_x_user.shingest raw, untrusted tweet content from X.com. - Boundary markers: Absent. The output formats (Markdown, JSON, RSS) do not use delimiters or instructions to help the agent distinguish between data and potential commands embedded in tweets.
- Capability inventory: The skill environment has access to
agent-browser(web automation) andpython3(local execution). - Sanitization: Absent. While RSS output uses HTML escaping, the Markdown and JSON outputs do not sanitize content for instructions that might target the LLM (e.g., 'ignore previous instructions').
- [COMMAND_EXECUTION]: Arbitrary File Write. The
-oargument in both scripts allows for an arbitrary output path which is used in shell redirection (> "$OUTPUT_FILE"). This could be exploited for path traversal or to overwrite sensitive system files.
Recommendations
- AI detected serious security threats
Audit Metadata