Skills
skills/garrytan/gstack/hackernews-frontpage/Gen Agent Trust Hub

hackernews-frontpage

Pass

Audited by Gen Agent Trust Hub on May 10, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted content from the Hacker News front page. An attacker could craft a story title or comment that, when processed by the agent, acts as a malicious instruction.\n
  • Ingestion points: Content is fetched from https://news.ycombinator.com/ in script.ts.\n
  • Boundary markers: Absent. Scraped data is placed directly into the JSON output structure without specific delimiters or instructions for the agent to treat it as untrusted.\n
  • Capability inventory: The skill facilitates browser-based data retrieval via a local daemon.\n
  • Sanitization: The skill performs standard HTML tag removal and entity decoding, but does not implement filtering for adversarial prompt content.\n- [COMMAND_EXECUTION]: The skill uses a subprocess to determine the project's root directory via the system's git command.\n
  • Evidence: cp.spawnSync('git', ['rev-parse', '--show-toplevel'], ...) in _lib/browse-client.ts.\n- [DATA_EXFILTRATION]: The skill accesses a local configuration file to retrieve a daemon authentication token. While this is used for local communication, it involves reading from potentially sensitive file paths.\n
  • Evidence: Accesses .gstack/browse.json (or the path specified by the BROWSE_STATE_FILE environment variable) in _lib/browse-client.ts.
Audit Metadata
Risk Level
SAFE
Analyzed
May 10, 2026, 12:18 PM