Skills
skills/gooseworks-ai/goose-skills/community-signals/Gen Agent Trust Hub

community-signals

Pass

Audited by Gen Agent Trust Hub on Apr 10, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill fetches data from Hacker News via the Algolia API (hn.algolia.com) and Reddit via the Apify API or a vendor-provided proxy (api.gooseworks.ai). This is a core part of its lead extraction functionality.\n- [COMMAND_EXECUTION]: Executes a local Python script, scripts/community_signals.py, to perform the web requests and process the results into CSV files.\n- [CREDENTIALS_UNSAFE]: It searches for APIFY_API_TOKEN or GOOSEWORKS_API_KEY in environment variables and local .env files. This is consistent with standard practices for managing API credentials in developer tools.\n- [PROMPT_INJECTION]: The skill ingests untrusted content from public developer forums which is later analyzed by the agent, presenting a surface for indirect prompt injection.\n
  • Ingestion points: Public posts and comments from Hacker News and Reddit are saved to community_signals_signals.csv (Phase 3).\n
  • Boundary markers: There are no specific delimiters or instructions provided to the agent to disregard potential instructions embedded in the forum data during the analysis phase (Phase 4).\n
  • Capability inventory: The agent has access to Bash, Write, and WebSearch tools, which could be targeted by sophisticated injections.\n
  • Sanitization: The script includes basic HTML cleaning for HN comments but does not filter for logical prompt injection patterns.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 10, 2026, 10:48 AM