x-post-generator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The workflow in
SKILL.mdinstructs the agent to run a shell command:python3 scripts/learn_from_accepted.py --post "<accepted_post_text>". Since the post content is derived from untrusted user drafts, an attacker can include shell metacharacters (e.g.,$(...),&&,;) to execute arbitrary commands on the host system. - [PROMPT_INJECTION] (HIGH): This skill has a significant indirect prompt injection surface (Category 8). It ingests untrusted user ideas (Step 1) and uses them to generate content that influences future agent behavior via the
references/brand.mdfile. * Ingestion points: User drafts and ideas inSKILL.md. * Boundary markers: None present to separate user content from instructions. * Capability inventory: Executes shell commands and writes to the filesystem. * Sanitization: No sanitization is performed on the user-provided text before it is used in a shell command or saved to a configuration file.
Recommendations
- AI detected serious security threats
Audit Metadata