chirp
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly vulnerable to instructions embedded in external data it processes.
- Ingestion points: Untrusted data enters the agent context via
browser action=snapshotinSKILL.mdwhen viewing the timeline (x.com/home), search results (x.com/search), or specific profiles. - Boundary markers: Absent. The instructions do not provide delimiters or warnings to ignore instructions found within the tweets themselves.
- Capability inventory: The skill possesses significant write/execute capabilities via
browser action=act, including clicking ('kind':'click') and typing ('kind':'type'). These allow the agent to post new tweets, reply to existing ones, and follow accounts. - Sanitization: Absent. There is no evidence of filtering or sanitizing the content retrieved from the browser snapshot before the agent interprets it.
- COMMAND_EXECUTION (LOW): The skill mentions the requirement for
Xvfbon headless servers, which involves local system configuration, but it does not perform arbitrary shell command execution within the provided scripts.
Recommendations
- AI detected serious security threats
Audit Metadata