bluesky
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly susceptible to indirect prompt injection. It retrieves untrusted external content and has the privilege to perform actions with side effects (posting).
- Ingestion points: External data is ingested via app.bsky.feed.searchPosts and app.bsky.actor.getProfile in SKILL.md.
- Boundary markers: There are no delimiters or instructions to ignore embedded commands in the processed data.
- Capability inventory: The skill can execute com.atproto.repo.createRecord to publish content to the user's account.
- Sanitization: No sanitization or validation of the ingested external content is performed before it influences agent behavior or output.
- Data Exposure & Exfiltration (MEDIUM): The skill uses curl commands to transmit environment variables containing sensitive authentication data (BLUESKY_APP_PASSWORD and ACCESS_TOKEN) to bsky.social.
- Command Execution (LOW): The skill provides functional shell command templates for API interaction, which may be executed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata