xhs-topic-scout
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install an external dependency from a third-party GitHub repository (eze-is/web-access) to provide browser automation capabilities.
- [REMOTE_CODE_EXECUTION]: By facilitating the installation and execution of external scripts, the skill enables the running of third-party code that is not part of the core package.
- [COMMAND_EXECUTION]: The skill uses local shell commands to manage its environment, including dependency checks (ls), starting a Node.js proxy service (node), and launching web browsers (start chrome, start msedge).
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes content from external financial news sites and social media without robust sanitization.
- Ingestion points: Extracts text from sites like CLS, Sina, EastMoney, and Xiaohongshu search results via a local proxy.
- Boundary markers: The instructions lack delimiters or system directives to ensure the agent ignores instructions embedded within the fetched data.
- Capability inventory: The skill environment allows local command execution (node, python), file writes to the output directory, and proxied network access.
- Sanitization: Content extraction relies on basic string manipulation and regular expressions, which are insufficient to filter out malicious instructional text embedded in the source pages.
Audit Metadata