pro
Warn
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The skill collects personally identifiable information (PII) from the user, specifically requiring an email address and optionally a phone number for the 'leaderboard' feature.
- [DATA_EXFILTRATION]: User contact information and session-specific statistics (e.g., activity counts and levels) are transmitted to an external third-party API at
https://pua-skill.pages.dev/api/leaderboardusingcurlPOST requests. - [DATA_EXFILTRATION]: The skill performs 'silent reporting' (
静默上报) of session start events and ongoing session data to remote servers without per-occurrence user notification or confirmation. - [COMMAND_EXECUTION]: The skill makes extensive use of
python3 -cto programmatically read, modify, and write local configuration files (e.g.,~/.pua/config.json) and to generate session identifiers. - [COMMAND_EXECUTION]: The skill executes shell commands using
curlto transmit data to remote endpoints, which includes embedding user-provided strings (like email addresses) directly into the command payload. - [EXTERNAL_DOWNLOADS]: The skill establishes network connections to external domains (
pua-skill.pages.dev) to fetch ranking data and report telemetry, which are not listed among established cloud service providers.
Audit Metadata