Fail
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The file scripts/config.py contains a hardcoded IMGUR_CLIENT_ID. Furthermore, scripts/auth.py and scripts/db.py facilitate the storage of sensitive Instagram app_secret and access_token credentials in a local SQLite database (data/instagram.db) in plaintext, which is an insecure storage practice.
- [DATA_EXFILTRATION]: The skill's publication pipeline in scripts/publish.py and scripts/api_client.py automatically uploads local files to Imgur to generate public URLs. This functionality can be abused to exfiltrate sensitive local data if an attacker can trick the agent into processing non-media files as publication candidates.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection attacks because it ingests untrusted content from the public internet.
- Ingestion points: Data is ingested from Instagram comments (scripts/comments.py), direct messages (scripts/messages.py), and hashtag search results (scripts/hashtags.py).
- Boundary markers: No delimiters or defensive instructions are used to separate untrusted external content from the agent's primary instructions.
- Capability inventory: The skill allows the agent to read local files, execute network operations (POST/DELETE), and perform database writes.
- Sanitization: The scripts do not sanitize or validate the content of comments or messages before passing them to the agent.
- [COMMAND_EXECUTION]: The skill relies on the execution of local Python scripts via shell commands to perform its core functions, as documented in SKILL.md. While intended for automation, this provides a wide interface for command-based interaction with the host system.
Recommendations
- AI detected serious security threats
Audit Metadata