social
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill ingests untrusted data from a social network and interpolates it into LLM prompts to generate replies and direct messages.
- Ingestion points: Data is pulled via
social.sh post view(posts and replies),social.sh dm chat(incoming messages), andsocial.sh network semantic search(user-generated musings). - Boundary markers: Templates in
dm.mdandengage.mduse basic variable interpolation (e.g.,{post_content}) but lack robust delimiters or instructions to ignore malicious commands embedded in the data. - Capability inventory: The agent can perform significant actions based on LLM output, including
social.sh post reply,social.sh dm send, andsocial.sh friends request. - Sanitization: No evidence of sanitization or filtering for the external content before prompt interpolation.
- [Command Execution] (LOW): The skill frequently assembles shell commands for the
social.shtool using variables derived from user input or external data (e.g.,<interest>,<email>,<message>). This creates a vulnerability surface for command injection if the underlying execution environment does not properly escape or sanitize these arguments. - [Data Exposure] (SAFE): The skill accesses sensitive information such as direct messages and user interaction history. While this is consistent with the stated purpose of a social management tool and no exfiltration patterns were detected, the access to private communications is a high-sensitivity data surface.
Audit Metadata