algorithm-cultivation
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill manages sensitive credentials, including an X/Twitter session cookie and an OpenRouter API key. Documentation suggests storing the API key in the browser's
localStorageon the x.com domain. This is an unsafe practice because any script running on the same domain—whether from a cross-site scripting (XSS) vulnerability or a malicious browser extension—can access and steal the key. - [PROMPT_INJECTION]: The skill exhibits a significant risk of Indirect Prompt Injection. It automatically reads untrusted data from X/Twitter (such as tweets, search results, and notifications) and uses this content as input for an LLM that controls account actions. An attacker could craft malicious posts designed to hijack the bot's logic and perform unauthorized actions.
- Ingestion points: The automation scripts (e.g.,
algorithmBuilder.js) ingest live tweet text and search results directly from the x.com DOM. - Boundary markers: No defensive delimiters or instructions to ignore embedded commands are documented when passing external content to the LLM.
- Capability inventory: The bot has extensive capabilities including posting, replying, following users, and navigating the site.
- Sanitization: There is no evidence of content filtering or sanitization before external data is processed by the AI persona.
- [COMMAND_EXECUTION]: The documentation encourages users to paste large blocks of JavaScript (e.g.,
core.js,algorithmTrainer.js) directly into the browser's DevTools console. This practice normalizes 'Self-XSS' behaviors which are commonly exploited in social engineering attacks to compromise user accounts.
Audit Metadata