Skills
skills/vegetapn/writing-assistant-skill/writing-assistant/Gen Agent Trust Hub

writing-assistant

Fail

Audited by Gen Agent Trust Hub on Feb 22, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • EXTERNAL_DOWNLOADS (HIGH): The installation guide in README.md and README.zh-CN.md instructs users to download a ZIP archive directly from an untrusted GitHub repository (VegetaPn/writing-assistant-skill) and execute its contents. This bypasses package manager safety checks.
  • REMOTE_CODE_EXECUTION (HIGH): The skill utilizes several bundled dependencies and scripts that execute remote-downloaded code. The automated scan confirmed a high-risk pattern: 'https://github.com/VegetaPn/writing-assistant-skill/archive/refs/heads/main.zip' downloaded and executed via shell commands.
  • COMMAND_EXECUTION (MEDIUM): Extensive use of high-privilege system automation. This includes using osascript on macOS to send real keystrokes (Cmd+V) and powershell on Windows for clipboard control, which can be repurposed for malicious system interaction.
  • CREDENTIALS_UNSAFE (MEDIUM): The skill requires and manages OPENROUTER_API_KEY stored in a plain-text .env file. Scripts like generate_image.py and check-env.sh read this file directly. Additionally, the skill manages persistent browser session data for X (Twitter) and WeChat in local directories (e.g., ~/.local/share/x-browser-profile), creating a significant target for data exposure.
  • PROMPT_INJECTION (LOW): Vulnerable to indirect prompt injection (Category 8). The skill is designed to scrape and 'deep-analyze' viral posts and trending content from social media platforms (X, WeChat, Xiaohongshu) to extract patterns. This creates a surface where malicious external content could influence the agent's behavior during the drafting or publishing phases.
  • Ingestion points: topic-manager.md (Analyze viral post + URL), wechat-article-search (search results).
  • Boundary markers: Absent; the skill directly interpolates scraped content into analysis and writing prompts.
  • Capability inventory: Execution of shell/Python scripts, browser automation (CDP), and direct publishing capabilities to WeChat and X.
  • Sanitization: None detected; the skill relies on the LLM's inherent safety filters to handle potentially malicious scraped data.
Recommendations
  • HIGH: Downloads and executes remote code from: https://github.com/VegetaPn/writing-assistant-skill/archive/refs/heads/main.zip - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 22, 2026, 02:02 PM