x-research
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest untrusted data from the X API and potentially from external websites. Evidence Chain: 1. Ingestion points: Data enters via
scripts/x_api.py(search results, threads, profiles) and viaWebFetch(as instructed inSKILL.mdfor linked content). 2. Boundary markers:scripts/x_format.pyuses basic markdown blockquotes (>), which are easily bypassed by modern LLMs. 3. Capability inventory: The skill hasBashandWritepermissions. 4. Sanitization: There is no filtering or sanitization of instructions embedded within fetched tweets. An attacker could craft a tweet that, when processed, commands the agent to execute malicious code via Bash or modify sensitive files. - [Command Execution] (MEDIUM): The skill's operational model relies on the agent iteratively executing Bash commands to run search scripts. When combined with the high-risk ingestion of untrusted data from X, this creates a significant attack surface where external content can directly influence the parameters or logic of executed commands.
Recommendations
- AI detected serious security threats
Audit Metadata