Skills
skills/oldwinter/skills/baoyu-post-to-x/Gen Agent Trust Hub

baoyu-post-to-x

Fail

Audited by Gen Agent Trust Hub on Mar 12, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill documentation and helper scripts suggest installing the Bun runtime from its official source using the command curl -fsSL https://bun.sh/install | bash.
  • [COMMAND_EXECUTION]: The skill uses spawn and spawnSync to execute various system utilities across platforms to simulate user input, including osascript on macOS, powershell.exe on Windows, and xdotool or ydotool on Linux.
  • [COMMAND_EXECUTION]: On macOS, the skill dynamically generates and executes temporary Swift scripts (using the swift command) to interact with the AppKit framework for copying image data to the system clipboard.
  • [EXTERNAL_DOWNLOADS]: The md-to-html.ts script fetches remote images via HTTP/HTTPS from URLs specified within the user-provided Markdown content to download them for processing.
  • [COMMAND_EXECUTION]: The skill launches Google Chrome with the --remote-debugging-port and --user-data-dir flags to enable automation via the Chrome DevTools Protocol (CDP) and maintain persistent login sessions.
Recommendations
  • HIGH: Downloads and executes remote code from: https://bun.sh/install - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 12, 2026, 05:59 AM