atproto-ingest
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (MEDIUM): The skill ingests untrusted data from the Bluesky social network, which could contain adversarial content designed to override downstream agent behavior.
- Ingestion points:
fetch_all_posts,stream-mentions, andextract_thread_treeinSKILL.mdall ingest raw post text and metadata. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the processing logic.
- Capability inventory: The skill utilizes
requestsandwebsocketfor network communication andduckdbfor local database writes. - Sanitization: While it uses parameterized SQL queries via
duckdb.execute, there is no sanitization or filtering of the actual content of the posts before ingestion. - Data Exposure & Exfiltration (LOW): The skill performs network operations to fetch data from non-whitelisted domains.
- Network operations: Communicates with
https://bsky.socialandwss://bsky.networkusing authentication headers. - Context: These operations are necessary for the skill's functionality, but the use of Bearer tokens over the network to external endpoints warrants verification of the environment's security posture.
Audit Metadata