x-dm-auto-chat

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes message content from unverified peers in X DM conversations.
  • Ingestion points: The scripts scripts/read-conversation.py and scripts/scan-inbox-merged.py extract text from peer messages and previews directly from the browser's DOM for processing by the agent.
  • Boundary markers: No explicit delimiters or instructions are provided to the agent to treat message content as untrusted data or to ignore embedded instructions.
  • Capability inventory: The skill possesses significant capabilities, including browser navigation, user input simulation, and JavaScript execution via browser-act across its various business flows.
  • Sanitization: There is no evidence of sanitization or filtering of the message content before it is passed to the calling agent for reply generation.
  • [COMMAND_EXECUTION]: The skill relies on executing dynamically generated JavaScript payloads within the browser session to interact with the page and APIs.
  • Evidence: Each script in the scripts/ directory generates a JavaScript string that is passed to browser-act --session <name> eval for execution. This is a powerful capability used here for legitimate automation, but it represents an execution surface that could be targeted if inputs are not properly controlled.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 04:39 AM
Security Audit — agent-trust-hub — x-dm-auto-chat