fastmoss-ads
Pass
Audited by Gen Agent Trust Hub on Jul 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill is a legitimate data extraction utility that gathers public TikTok trend information from fastmoss.com without performing unauthorized data exfiltration or credential theft.
- [COMMAND_EXECUTION]: Orchestrates local Python scripts and communicates with a bridge service at
127.0.0.1:10086to perform browser navigation and JavaScript evaluation for scraping purposes. - [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface (Category 8) due to the ingestion of untrusted web content.
- Ingestion points: Ad titles, keywords, and category names scraped from the FastMoss interface in
scripts/ads_scraper.pyandscripts/ads_filtered.py. - Boundary markers: Not present; the extracted data is directly written to CSV files and interpolated into a Markdown report template without clear delimiters or warnings for the agent.
- Capability inventory: Local file writing and browser-based JavaScript execution via the
kimi-webbridgeAPI. - Sanitization: Basic string trimming and truncation of entity names are applied to the scraped content.
Audit Metadata