paoding

Warn

Audited by Gen Agent Trust Hub on Jul 15, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes local scripts scripts/collect.sh and scripts/collect_api.py to automate content retrieval and processing. It also invokes system tools like yt-dlp, ffmpeg, and whisper via subprocesses.
  • [DATA_EXFILTRATION]: Accesses sensitive local data, specifically reading API keys from ~/.config/paoding/keys.env. It also utilizes yt-dlp with the --cookies-from-browser flag, which allows the skill to access and use the user's active browser sessions and cookies for platforms like X, Douyin, and Xiaohongshu.
  • [EXTERNAL_DOWNLOADS]: Automatically fetches media and metadata from a wide range of external social media platforms (YouTube, Bilibili, X, Douyin, Xiaohongshu) based on user-supplied URLs.
  • [PROMPT_INJECTION]: Vulnerable to indirect prompt injection. The skill ingests untrusted external data (transcribed audio, post text, and comments) and processes it to create a 'Strategy Map'.
  • Ingestion points: scripts/collect.sh (transcribed audio) and scripts/collect_api.py (API-fetched posts/comments).
  • Boundary markers: The instructions lack explicit delimiters or warnings to ignore instructions embedded within the transcribed content or post text.
  • Capability inventory: The skill has the capability to write new files, specifically generating a full SKILL.md file.
  • Sanitization: There is no evidence of sanitization or filtering applied to the external content before it is processed by the model.
  • [COMMAND_EXECUTION]: Implements dynamic execution by automatically generating a complete SKILL.md file (a 'Content Coach Skill') in Step 4. This file contains AI instructions and workflows derived from the potentially malicious or untrusted external data processed in earlier steps.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 15, 2026, 03:57 PM