freshrss
Fail
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: A command injection vulnerability exists in the
cmd_headlinesfunction withinscripts/freshrss.sh. The--hoursargument is interpolated into a subshell execution block$(date ...)without quoting or validation, enabling arbitrary shell command execution. An attacker could potentially gain control of the environment if the agent is persuaded to run this command with a malicious parameter. - [CREDENTIALS_UNSAFE]: The authentication mechanism in
scripts/freshrss.shsends theFRESHRSS_API_PASSWORDas a visible query parameter in a URL during the login process. This practice can lead to credential exposure in server logs, proxy logs, and command-line history. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It retrieves and presents data from external RSS feeds to the agent without sanitization or isolation.
- Ingestion points: External RSS headlines and metadata are fetched using the FreshRSS API in
scripts/freshrss.shand outputted to the agent's context. - Boundary markers: No delimiters or specific instructions are used to separate untrusted feed content from the agent's system instructions.
- Capability inventory: The skill possesses network access and local script execution capabilities.
- Sanitization: The retrieved RSS data is displayed to the agent directly without any validation, escaping, or filtering.
Recommendations
- AI detected serious security threats
Audit Metadata