laohan-redian
Pass
Audited by Gen Agent Trust Hub on Jun 12, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches data from public endpoints at
aihot.virxact.comandwww.douyin.com. These requests are used to retrieve news items and trending lists for the daily briefing and are not used to download executable code. - [COMMAND_EXECUTION]: The skill uses
Bash(*)permissions to executecurl,opencli, andnode. It dynamically locates its own scriptdouyin-ai.jswithin its installation directory to process Douyin trending data. These commands are well-scoped to the task of data gathering and processing. - [DATA_EXFILTRATION]: No sensitive local data (such as credentials, environment variables, or private keys) is accessed. Network operations are limited to the specific public news APIs and social platforms mentioned in the documentation.
- [PROMPT_INJECTION]: The skill ingests untrusted text data from third-party social media platforms (Zhihu, Weibo, Douyin, etc.). While this presents a surface for indirect prompt injection if the ingested content contains malicious instructions, the risk is inherent to news aggregation tasks and mitigated by the skill's filtering logic.
Audit Metadata