ai-news-briefing
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection.\n
- Ingestion points: Fetches content from 17+ external RSS feeds in
collectors/rss_common.py.\n - Boundary markers: Uses only a simple
[AI_NEWS_CANDIDATES]header inpipeline/prompt_builder.pywithout instructions for the agent to ignore commands within the external data.\n - Capability inventory: The resulting
ai_inputis directly fed into the AI prompt. Maliciously crafted news items could hijack the agent's behavior if it has write or execution capabilities.\n - Sanitization: Only basic HTML tag stripping is performed; no validation or filtering of natural language instructions is present.\n- REMOTE_CODE_EXECUTION (MEDIUM): Insecure XML parsing in
collectors/rss_common.py.\n - Evidence: Uses
xml.etree.ElementTree.fromstringto process external RSS feeds. This module is not secure against maliciously constructed data and is vulnerable to XML-based attacks like Denial of Service (Billion Laughs).\n- EXTERNAL_DOWNLOADS (MEDIUM): Recommends installation from an untrusted GitHub user.\n - Evidence: The README.md suggests installation via
npx skills add vc999999999/ai-news-skill. The uservc999999999is not a verified or trusted entity within the security policy.
Recommendations
- AI detected serious security threats
Audit Metadata