Skills
skills/phy041/claude-agent-skills/engagement-tracker/Gen Agent Trust Hub

engagement-tracker

Fail

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses AppleScript (osascript) to execute arbitrary JavaScript code within the active tab of Google Chrome. This allows the agent to interact with web pages and internal APIs using the user's authenticated session, bypassing standard security prompts.
  • [EXTERNAL_DOWNLOADS]: Relies on the twikit Python library, a third-party tool used for scraping Twitter by mimicking browser behavior, which is not an official or verified dependency.
  • [DATA_EXFILTRATION]: The skill is designed to access and use sensitive social media session cookies (twitter_cookies.json and Chrome's internal credentials). While used for metrics in this context, this pattern represents a high risk for the exfiltration of private session tokens or user data.
  • [REMOTE_CODE_EXECUTION]: Although the code is currently static, the use of tab.execute({javascript: ...}) via AppleScript creates a significant vulnerability where dynamically generated instructions could lead to remote code execution within the browser context.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 29, 2026, 09:43 AM