substack-skill
Pass
Audited by Gen Agent Trust Hub on Jul 5, 2026
Risk Level: SAFECREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
- [SAFE]: The skill implements security best practices by requiring explicit human confirmation before performing high-impact, irreversible actions like publishing a post to email subscribers.
- [CREDENTIALS_UNSAFE]: Authentication is handled via session cookies provided by the user during a manual setup process. These credentials are stored in a local config.json file with restricted file permissions (0600), limiting access to the current user.
- [DATA_EXFILTRATION]: The skill accesses local files (markdown documents and images) as part of its primary function to create Substack drafts. These files are only processed when explicitly requested through command arguments and the data is transmitted only to official Substack API endpoints.
Audit Metadata