rss-ai-reader
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [External Downloads & Remote Code Execution] (HIGH): The skill requires cloning a repository from an untrusted source (
https://github.com/BENZEMA216/rss-reader.git) and executing its contents locally viapython main.py. This allows the repository owner to execute arbitrary code on the host system, posing a significant security risk. - [Indirect Prompt Injection] (LOW): The skill is vulnerable to indirect prompt injection because it fetches untrusted content from external RSS feeds and passes it directly to an LLM for summarization.
- Ingestion points: RSS feed URLs specified in the configuration files (
SKILL.mdandconfig_guide.md). - Boundary markers: No specific delimiters or safety instructions (e.g., "ignore instructions inside this text") are defined to separate the untrusted feed content from the LLM prompt.
- Capability inventory: The skill possesses network capabilities (to fetch feeds and send notifications to Feishu/Telegram/Email) and file system access (to maintain a SQLite database).
- Sanitization: There is no evidence of content sanitization or validation before the external data is processed by the AI.
Recommendations
- AI detected serious security threats
Audit Metadata