baoyu-danger-x-to-markdown
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill extracts sensitive session cookies (auth_token, ct0, gt, twid) from a local Chrome instance and stores them in a local JSON file (cookies.json) at a predictable path within the application data directory.
- [COMMAND_EXECUTION]: The skill uses child_process.spawn to launch external browser executables (Google Chrome, Microsoft Edge, or Chromium) with the --remote-debugging-port flag enabled to capture authentication data via the Chrome DevTools Protocol (CDP).
- [CREDENTIALS_UNSAFE]: A hardcoded X API Bearer token is present in scripts/constants.ts. Although this appears to be a common public guest token, hardcoding authentication headers is a poor security practice.
- [EXTERNAL_DOWNLOADS]: The skill downloads binary media assets (images and videos) from external domains (pbs.twimg.com, video.twimg.com) and writes them directly to the local file system.
- [PROMPT_INJECTION]: The skill processes untrusted external data from X tweets and articles.
- Ingestion points: scripts/thread.ts (fetchTweetThread) and scripts/graphql.ts (fetchXArticle).
- Boundary markers: Output is wrapped in YAML front matter as specified in SKILL.md.
- Capability inventory: The skill has file system write access (writeFile) and process execution capabilities (spawn).
- Sanitization: Implements basic slug sanitization and markdown escaping (escapeMarkdownAlt) but remains susceptible to indirect prompt injection if the processed content contains malicious instructions designed to influence the agent in subsequent turns.
Audit Metadata