Skills
skills/yangliu2060/smith--skills/linkedin-post-creator/Gen Agent Trust Hub

linkedin-post-creator

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8).
  • Ingestion points: Data is ingested from ~/.claude/cache/linkedin/brand-brief.json, direct user input for {topic}, and potential external content via WebSearch results.
  • Boundary markers: No delimiters (e.g., XML tags or triple quotes) or 'ignore instructions' warnings are used when interpolating {brand_brief}, {topic}, or {draft} into the system prompts.
  • Capability inventory: The skill uses Read and Write tools for local file access and WebSearch for network access.
  • Sanitization: No escaping or validation is performed on the untrusted inputs before they are passed to the LLM.
  • [DATA_EXFILTRATION] (MEDIUM): Potential for sensitive data exposure through tool abuse.
  • Evidence: The skill specifically reads from the user's home directory (~/.claude/cache/).
  • Risk: A maliciously crafted 'topic' could attempt to trick the agent into reading other sensitive files and exfiltrating their contents via the WebSearch tool or by embedding them in the 'final post' output.
  • [COMMAND_EXECUTION] (LOW): The skill utilizes file system tools (Read, Write) to manage local data.
  • Evidence: Steps 1 and 6 involve reading from and writing to the local file system. While restricted to a specific path, successful prompt injection could lead to unauthorized file manipulation.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 05:05 AM