last30days-cn
Pass
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill aggregates data from several social media platforms, creating a significant surface for indirect prompt injection.
- Ingestion points: Data is fetched from Weibo, Xiaohongshu, Bilibili, Zhihu, Douyin, WeChat, Baidu, and Toutiao (refer to the modules in
scripts/lib/). - Boundary markers: Absent. Reports rendered in
render.pyprovide text from these platforms to the agent without using delimiters or instructions to ignore embedded commands. - Capability inventory: The skill is configured with access to
BashandWritetools inSKILL.md, providing a powerful execution environment for potentially malicious instructions ingested from external sources. - Sanitization: Content is cleaned of HTML tags but is not otherwise sanitized for prompt injection payloads before being delivered to the agent.
- [COMMAND_EXECUTION]: A configuration hook script uses an insecure shell coding pattern.
- Evidence: The file
hooks/scripts/check-config.shuseseval "ENV_${key}=\"${value}\""to load environment variables from the user's.envfile. This represents a command execution risk if the configuration file is modified to contain malicious shell characters.
Audit Metadata