substack
Warn
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill constructs API requests using a user-provided newsletter URL and automatically attaches the sensitive
substack.sidsession cookie to all requests made by the client. An attacker could provide a malicious URL to capture this session cookie. - Evidence: In
scripts/substack.py, the_clientfunction initializeshttpx.Clientwith the session cookie, and thelist_posts,get_post, andget_textcommands use this client to fetch data from thenewsletterargument without domain validation. - [COMMAND_EXECUTION]: The skill allows writing content to arbitrary local file paths and is vulnerable to path traversal through its argument handling.
- Evidence: The
get_textcommand inscripts/substack.pyuses the--outparameter to write files to any user-specified location. Furthermore, the default output path is constructed using theslugargument (Path(f"/tmp/{slug}.md")), which allows for path traversal if the slug contains sequences like../. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes content from external Substack newsletters without sanitization or boundary markers.
- Ingestion points: The
get_postandget_textcommands inscripts/substack.pyfetch external HTML content and metadata. - Boundary markers: No delimiters or warnings are used when presenting the fetched content to the agent, making it difficult to distinguish external data from instructions.
- Capability inventory: The skill can perform network requests and write to the local file system.
- Sanitization: No content filtering or sanitization is performed beyond basic HTML-to-Markdown conversion.
Audit Metadata