Skills
skills/varnan-tech/opendirectory/cook-the-blog/Gen Agent Trust Hub

cook-the-blog

Fail

Audited by Gen Agent Trust Hub on Apr 19, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill performs npm install and npm run build within a repository cloned from a user-provided URL ([TARGET_REPO_URL]) in SKILL.md. This is a critical risk as malicious repositories can execute arbitrary code via npm post-install scripts or build-time hooks.
  • [COMMAND_EXECUTION]: The workflow involves extensive use of shell commands to manage external tools, including git, gh, gsutil, and custom CLI tools like blog-cover-cli.
  • [CREDENTIALS_UNSAFE]: The skill instructs the agent to read high-value secrets from local files, such as token.txt for GitHub authentication and service-account.json for Google Cloud access, as seen in README.md and SKILL.md.
  • [DATA_EXFILTRATION]: The agent is granted access to sensitive credentials (GCP keys, GitHub tokens, Email App Passwords) and is tasked with performing network-bound operations like pushing to GitHub, uploading to cloud buckets, and sending emails via SMTP. This combination creates a pathway for silent credential exfiltration.
  • [EXTERNAL_DOWNLOADS]: The skill downloads and executes several external packages at runtime, including @modelcontextprotocol/server-tavily via npx -y and blog-cover-image-cli via global npm installation.
  • [PROMPT_INJECTION]: There is a metadata discrepancy where the provided author context is 'Varnan-Tech', but the SKILL.md frontmatter lists 'OpenDirectory', which may indicate deceptive intent or unverified origins.
  • [DATA_INGESTION_RISK]: (Category 8) The skill has a high surface for indirect prompt injection:
  • Ingestion points: Fetches untrusted data from the open web (Tavily), Reddit forums, and Google Trends (SerpApi) as specified in SKILL.md Step 1 and 2.
  • Boundary markers: None. The research data is directly synthesized into the MDX output.
  • Capability inventory: Includes git push (Step 7), gsutil cp (Step 6), smtplib (Step 8), and npm run build (Step 7).
  • Sanitization: None mentioned. The agent is encouraged to use 'authentic developer insights' from forums which are easily manipulated by attackers.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 19, 2026, 08:34 AM