baoyu-post-to-x
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill instructs the agent to execute shell commands using
npx -y bunto run local TypeScript scripts. This allows the agent to spawn subprocesses and interact with the system shell directly to perform automation tasks. - [CREDENTIALS_UNSAFE] (HIGH): The skill manages and persists X (Twitter) browser sessions. It explicitly uses Chrome profiles to bypass anti-automation, meaning the agent has access to sensitive session cookies and authentication tokens stored in the browser profile directories (
--profile <dir>). - [PROMPT_INJECTION] (HIGH): Category 8 (Indirect Prompt Injection). The skill is designed to process untrusted external content (text, Markdown articles) and post it to a public platform.
- Ingestion points: Positional arguments for post text/comments and input file paths for Markdown articles (
article.md). - Boundary markers: None identified. There are no delimiters or instructions to ignore embedded commands in the input data.
- Capability inventory: Browser automation via CDP, shell command execution, and file system read access.
- Sanitization: None identified. The skill lacks evidence of escaping or validating external content before processing.
- [EXTERNAL_DOWNLOADS] (MEDIUM): Use of
npx -yindicates that packages may be downloaded and executed at runtime. While targeting local scripts, the underlying dependencies of those scripts are not pinned or verified in the provided metadata.
Recommendations
- AI detected serious security threats
Audit Metadata