Skills
skills/jianshuo/claude-skills/wjs-promoting-skills/Gen Agent Trust Hub

wjs-promoting-skills

Warn

Audited by Gen Agent Trust Hub on May 21, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: Persistence via macOS launchd. The setup.sh script installs a launch agent at ~/Library/LaunchAgents/com.jianshuo.wjs-promoting-skills.plist. This agent is configured to execute the daily.sh script automatically every day at 4:00 AM. While this is an intended automation feature, it establishes a persistent background process on the user's system.
  • [PROMPT_INJECTION]: Indirect Prompt Injection vulnerability surface.
  • Ingestion points: daily.sh and make-plan.sh read SKILL.md files from other skills installed in ~/.claude/skills/ to generate marketing copy.
  • Boundary markers: The prompts in prompts/daily-post.md and prompts/make-plan.md do not utilize robust delimiters or specific instructions to ignore potential commands or malicious instructions embedded in the processed skill metadata.
  • Capability inventory: The agent has access to Read, Write, and Bash (git, jq, stat) in its primary workflow, and WebFetch, WebSearch, and xurl search (network operations) during research phases.
  • Sanitization: No validation or sanitization of the content extracted from third-party skill files is performed before it is passed to the AI for tasks that lead to network-bound outputs.
  • [DATA_EXFILTRATION]: Automated posting to external services. The skill is designed to automatically post generated content to X (Twitter) using the xurl CLI tool. This allows local data from other skills to be sent to a remote service. While this is the primary feature, the lack of per-post review for automated runs increases the risk of unintended data exposure.
  • [EXTERNAL_DOWNLOADS]: Automated web research. The research-marketplaces.sh script triggers an AI workflow that uses WebFetch and WebSearch to gather data from multiple external domains including ClawHub, agentskills.io, SkillsMP, Reddit, and Hacker News, with a specified budget of up to 30 fetch operations per session.
  • [COMMAND_EXECUTION]: Unsafe template substitution. Scripts like make-plan.sh use sed to substitute variables (such as ${SKILL}) into prompt templates. Because the variables are not sanitized and the shell command construction uses delimiters that could be part of a malicious filename, it presents a risk of command injection if a local directory name is specifically crafted by an attacker.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 21, 2026, 12:58 AM
Security Audit — agent-trust-hub — wjs-promoting-skills