post-to-xhs
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill orchestrates its workflow by executing local Python scripts (e.g.,
publish_pipeline.py,cdp_publish.py) via the shell. These scripts interact with the filesystem to create temporary files for content and launch browser processes for automation. - [EXTERNAL_DOWNLOADS]: The
image_downloader.pyscript facilitates the downloading of image files from user-provided or web-extracted URLs. It uses therequestslibrary and implements basic security practices such as file type guessing and path normalization to handle remote content locally before uploading to the target platform. - [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection (Category 8). It ingests untrusted data from external websites via a
WebFetchtool to summarize content for social media posts. - Ingestion points: External URLs processed via
WebFetchinSKILL.md(Step 2). - Boundary markers: The instructions do not define clear delimiters or specific instructions to ignore embedded commands during the summarization phase.
- Capability inventory: The skill can write files to the local disk, launch Chrome instances with remote debugging, and execute JavaScript within the browser context (
cdp_publish.py). - Sanitization: The skill uses
json.dumpsto escape user-provided content before injecting it into the browser viaRuntime.evaluate, and it enforces character count limits on titles.
Audit Metadata