agent-reach-internet-access
Fail
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
subprocess.runto execute various external CLI tools, includingyt-dlp,gh,twitter-cli, andrdt-cli. These commands are often constructed using user-supplied inputs or search queries, which could be exploited if inputs are not properly sanitized by the underlying utilities. - [CREDENTIALS_UNSAFE]: The skill instructs users on how to export and store sensitive authentication cookies for platforms like Twitter, Reddit, and XiaoHongShu. It specifically identifies paths where these credentials are stored locally, such as
~/.twitter-cli/config.json,~/.rdt-cli/cookies.json, and~/.mcporter/xiaohongshu/config.json. - [EXTERNAL_DOWNLOADS]: Fetches web content through the
https://r.jina.ai/proxy service to convert pages to markdown. While Jina is a recognized service, this involves downloading and processing third-party data from the internet. - [DATA_EXFILTRATION]: The skill presents a high risk of indirect prompt injection due to its core function of ingesting untrusted data.
- Ingestion points: Scrapes data from Twitter threads, Reddit posts, YouTube subtitles, GitHub issues, and arbitrary web pages.
- Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are used when the scraped content is passed to the agent.
- Capability inventory: The skill possesses the ability to execute system commands (
subprocess.run), read local configuration files, and make network requests (requests.get). - Sanitization: There is no evidence of sanitization or filtering of the content retrieved from external sources before it reaches the agent.
Recommendations
- HIGH: Downloads and executes remote code from: https://example.com - DO NOT USE without thorough review
Audit Metadata