x-dm-auto-chat
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes message content from unverified peers in X DM conversations.
- Ingestion points: The scripts
scripts/read-conversation.pyandscripts/scan-inbox-merged.pyextract text from peer messages and previews directly from the browser's DOM for processing by the agent. - Boundary markers: No explicit delimiters or instructions are provided to the agent to treat message content as untrusted data or to ignore embedded instructions.
- Capability inventory: The skill possesses significant capabilities, including browser navigation, user input simulation, and JavaScript execution via
browser-actacross its various business flows. - Sanitization: There is no evidence of sanitization or filtering of the message content before it is passed to the calling agent for reply generation.
- [COMMAND_EXECUTION]: The skill relies on executing dynamically generated JavaScript payloads within the browser session to interact with the page and APIs.
- Evidence: Each script in the
scripts/directory generates a JavaScript string that is passed tobrowser-act --session <name> evalfor execution. This is a powerful capability used here for legitimate automation, but it represents an execution surface that could be targeted if inputs are not properly controlled.
Audit Metadata