baoyu-post-to-x
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill uses
osascript(macOS),powershell(Windows), andxdotool(Linux) to simulate real keyboard events (Cmd+V/Ctrl+V). This bypasses application-level security boundaries and requires elevated 'Accessibility' permissions on macOS, which could be abused to control other aspects of the system. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill uses
npx -y bunto dynamically download the Bun runtime. Documentation also specifies that remote images in Markdown files are automatically downloaded to a local temp directory, which could be exploited for SSRF or malicious file ingestion. - [REMOTE_CODE_EXECUTION] (HIGH): The use of
npx -y buninvolves fetching and executing code from the internet at runtime, posing a supply-chain risk. - [PROMPT_INJECTION] (HIGH): Vulnerable to Indirect Prompt Injection (Category 8). 1. Ingestion points: Markdown files and remote images. 2. Boundary markers: None; content is parsed directly. 3. Capability inventory: Can launch a browser, navigate to X, and publish posts. 4. Sanitization: Limited to browser-context JS escaping; no validation for malicious instructions in the source files.
- [DATA_EXFILTRATION] (HIGH): Accesses sensitive Chrome profile data in
~/.local/share/x-browser-profile. While no network send is explicit in the provided scripts, accessing session cookies and credentials from the browser profile is categorized as high-severity data exposure.
Recommendations
- AI detected serious security threats
Audit Metadata