daily-news
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill automatically modifies the ~/.claude.json configuration file to register a third-party MCP (Model Context Protocol) server using npx @browsermcp/mcp@latest. This allows external code to run as a persistent service on the host machine to facilitate browser automation.
- [COMMAND_EXECUTION]: The skill performs multiple shell operations including file system modifications (mkdir, cp), database management (scripts/db.py), and automated updates to ~/.claude/CLAUDE.md. It also uses the GitHub CLI (gh) and Git for automated website deployment via build.py.
- [EXTERNAL_DOWNLOADS]: The skill initiates downloads of third-party dependencies and tools via pip (pyyaml, feedparser, requests, beautifulsoup4), npm (agent-browser), and npx (@browsermcp/mcp). It also fetches content from arbitrary external RSS feeds and URLs.
- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface when summarizing fetched news content.
- Ingestion points: Untrusted text is retrieved from external URLs and Twitter/X feeds in Stage 1 and Stage 2.
- Boundary markers: The summary prompt in references/prompts/summary.md lacks robust XML-style delimiters or explicit instructions to ignore embedded commands in the fetched text.
- Capability inventory: The agent can write to the filesystem (output/, website/), modify app configuration (~/.claude.json), and execute shell commands.
- Sanitization: No evidence of input validation or sanitization of fetched web content is present before it is passed to the LLM.
- [CREDENTIALS_UNSAFE]: The documentation (LOGIN_GUIDE.md) provides instructions for manually extracting and transferring browser profiles and cookies (including active Twitter/X sessions). This encourages high-risk handling of sensitive credential data.
Audit Metadata