baoyu-post-to-x
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted text and markdown data to be published on X. As the skill possesses 'Write' capabilities (publishing to a public social network), it is classified in the HIGH severity tier. Ingestion points: 'text' parameter in 'x-browser.ts', 'x-video.ts', 'x-quote.ts', and markdown files in 'x-article.ts'. Boundary markers: None. Capability inventory: Launches Chrome, uses CDP for DOM interaction, executes system-level UI automation scripts, and submits posts. Sanitization: Uses 'JSON.stringify' for JS interpolation but lacks content safety validation.\n- COMMAND_EXECUTION (HIGH): The skill executes arbitrary system commands via 'spawnSync' and 'spawn'. Specifically, 'scripts/paste-from-clipboard.ts' uses 'osascript' on macOS, 'powershell.exe' on Windows, and 'xdotool'/'ydotool' on Linux to simulate keyboard events. These tools require elevated permissions (e.g., Accessibility on macOS) and can be abused to interact with other applications if the command arguments are influenced.\n- EXTERNAL_DOWNLOADS (MEDIUM): Documentation in 'references/articles.md' indicates that remote images are automatically downloaded to a temporary directory during the article creation process. Furthermore, the skill relies on 'npx -y bun', which may trigger external downloads of the Bun runtime or dependencies if they are missing from the environment.\n- CREDENTIALS_UNSAFE (LOW): The skill explicitly accesses and manages sensitive browser data. It uses a persistent Chrome profile directory (defaulting to '~/.local/share/x-browser-profile') to store and reuse X.com session cookies. While necessary for the skill's purpose, this targets highly sensitive user data.\n- DYNAMIC_EXECUTION (MEDIUM): The skill performs dynamic code generation and execution. It uses Chrome's CDP 'Runtime.evaluate' to execute JavaScript within the browser context and dynamically constructs system scripts (AppleScript/PowerShell) to perform UI automation. This behavior increases the potential attack surface.
Recommendations
- AI detected serious security threats
Audit Metadata