Skills
skills/xiaxingxiaowei1983/ai/awkn-skills/Gen Agent Trust Hub

awkn-skills

Fail

Audited by Gen Agent Trust Hub on Mar 8, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXPOSURE]: The awkn-danger-gemini-web skill utilizes the Chrome DevTools Protocol (CDP) to programmatically extract sensitive session cookies (__Secure-1PSID and __Secure-1PSIDTS) from the user's local Chrome browser to authenticate against Google Gemini services. This bypasses standard security boundaries between applications.
  • [COMMAND_EXECUTION]: Multiple skills, including awkn-post-to-wechat and awkn-compress-image, use the child_process.spawn and execSync modules to execute system-level utilities such as osascript, xdotool, powershell, swift, sips, and imagemagick. This provides a significant attack surface if the inputs to these commands are not perfectly sanitized.
  • [REMOTE_CODE_EXECUTION]: The awkn-post-to-wechat skill dynamically generates Swift scripts at runtime, writes them to temporary directories, and executes them using the system's swift interpreter to manipulate the system clipboard. This pattern of dynamic code generation and execution is a high-risk vector.
  • [CREDENTIALS_UNSAFE]: The system automates login and session management for both Google and WeChat accounts. It stores and rotates session tokens locally in the awkn-skills/gemini-web directory, which could be targeted by other malicious software on the same machine.
  • [INDIRECT_PROMPT_INJECTION]: The skills awkn-content-decomposition and awkn-viral-article ingest large amounts of untrusted external content (books, articles, or web pages) and interpolate them directly into complex prompt templates.
  • Ingestion points: File paths or pasted text in scripts like wechat-browser.ts and wechat-article.ts.
  • Boundary markers: The skills rely on basic markdown headers or simple text instructions, which may fail to prevent an attacker from embedding hidden instructions in the source text.
  • Capability inventory: The agent has access to browser automation (CDP), system clipboard, and arbitrary command execution, making the potential impact of a successful injection high.
  • Sanitization: There is no evidence of robust sanitization or filtering of user-provided content before it reaches the AI model or the automation scripts.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 8, 2026, 05:31 AM