baoyu-danger-x-to-markdown
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [External Downloads] (MEDIUM): The skill's primary execution method is
npx -y bun, which automatically downloads thebunruntime and other necessary packages from the npm registry if they are not already present. This introduces a dependency on external, unverifiable code at runtime. - [Command Execution] (MEDIUM): The
SKILL.mdinstructions require the agent to execute multiple Bash commands, includingcat,test, andmkdir. These are used to manage a consent flow and configuration files (consent.jsonandEXTEND.md) in the user's home and application data directories. - [Data Exposure & Exfiltration] (LOW): The skill accesses and manages sensitive authentication data. It specifically resolves and interacts with paths in
~/Library/Application Support(macOS) and%APPDATA%(Windows) to store X cookies and browser profile data. While used for the skill's intended purpose of scraping X content, this involves handling credentials that could be targeted for exfiltration. - [Indirect Prompt Injection] (LOW): The skill ingests untrusted data from X tweets and articles which is then formatted into Markdown for the agent.
- Ingestion points: Data enters the agent via API responses fetched in
scripts/thread.tsandscripts/tweet-article.ts. - Boundary markers (absent): The generated Markdown lacks explicit instructions or delimiters to warn downstream LLM processes to ignore instructions embedded within the tweet content.
- Capability inventory: The skill can execute shell commands via
npxand perform file system operations. - Sanitization (partial): While the skill includes basic Markdown escaping for alt-text (e.g.,
escapeMarkdownAlt), it does not sanitize the main body of tweets against potential prompt injection attacks.
Audit Metadata