ai-content-publisher
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill implements an automated content pipeline that fetches data from untrusted external sources (RSS feeds and GitHub).
- Ingestion points:
scripts/fetch_hotspots.pyfetches titles and summaries from various RSS feeds and the GitHub Search API. - Boundary markers: There are no delimited boundaries or 'ignore embedded instructions' warnings provided when this data is passed to the downstream article generator.
- Capability inventory: The skill has the capability to execute shell commands (
run_auto.py,manual_test.sh) and publish content to WeChat via external scripts (scripts/publisher.py). - Sanitization: No evidence of sanitization or filtering was found for the fetched titles and summaries before they are interpolated into the generation process. An attacker controlling an RSS feed could potentially inject instructions to hijack the article's tone, content, or attempt to exploit the underlying LLM's capabilities.
- Command Execution (SAFE): The skill uses
subprocess.runand shell scripts to orchestrate its workflow. Inrun_auto.py,shell=Trueis used, but the commands are constructed from static strings and local paths (script_dir), minimizing the risk of arbitrary command injection.
Audit Metadata