bluesky-jetstream
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill ingest live, untrusted user-generated content from a public social media firehose and interpolates it into the agent's memory.
- Ingestion Points: Data enters via WebSocket connections to wss://jetstream2.us-east.bsky.network/subscribe.
- Evidence: The ingest-to-substrate function in SKILL.md uses a format string to combine raw post text with agent instructions without any delimiters.
- Capability Inventory: The skill processes this data for use in the agent's memory-substrate, which influences downstream reasoning and tool use.
- Sanitization: No evidence of filtering, escaping, or boundary enforcement for external content.
- [External Downloads] (LOW): The skill establishes persistent connections to external infrastructure to stream data.
- Evidence: Connects to wss://jetstream2.us-east.bsky.network/subscribe.
- [Metadata Poisoning] (MEDIUM): The documentation uses pseudo-scientific and esoteric terminology to describe simple data processing.
- Evidence: Sections such as 'Savitch Connection' and 'GF(3) Naturality' use complex computer science and mathematical concepts in a nonsensical context, which may mislead users regarding the skill's security properties and actual logic.
Recommendations
- AI detected serious security threats
Audit Metadata