engagement-interaction
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) as it processes untrusted data from X/Twitter to drive agent behavior.
- Ingestion points: Untrusted data enters the agent context via the
[data-testid="tweetText"]selector insrc/engagementManager.js. - Boundary markers: There are no documented delimiters or 'ignore' instructions to prevent the agent from obeying commands hidden within tweet text.
- Capability inventory: The skill can perform automated actions including
likeTweet,replyToTweet(which accepts arbitrary text), andhideReplyusing Puppeteer. - Sanitization: No sanitization or validation of the ingested tweet content is described before it is used for keyword matching or reply generation.
- [COMMAND_EXECUTION]: The skill facilitates browser-based automation and the execution of external scripts.
- Evidence: The documentation references external files
src/engagementManager.jsandsrc/unlikeAllPosts.jswhich contain the core logic for Puppeteer automation and browser console execution. While intended for its primary purpose, the lack of visibility into these referenced files and the instructions to manually paste code into DevTools represent a standard risk for execution of unverified logic.
Audit Metadata