fastmoss-ads

Pass

Audited by Gen Agent Trust Hub on Jul 6, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [SAFE]: The skill is a legitimate data extraction utility that gathers public TikTok trend information from fastmoss.com without performing unauthorized data exfiltration or credential theft.
  • [COMMAND_EXECUTION]: Orchestrates local Python scripts and communicates with a bridge service at 127.0.0.1:10086 to perform browser navigation and JavaScript evaluation for scraping purposes.
  • [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface (Category 8) due to the ingestion of untrusted web content.
  • Ingestion points: Ad titles, keywords, and category names scraped from the FastMoss interface in scripts/ads_scraper.py and scripts/ads_filtered.py.
  • Boundary markers: Not present; the extracted data is directly written to CSV files and interpolated into a Markdown report template without clear delimiters or warnings for the agent.
  • Capability inventory: Local file writing and browser-based JavaScript execution via the kimi-webbridge API.
  • Sanitization: Basic string trimming and truncation of entity names are applied to the scraped content.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 6, 2026, 09:23 AM
Security Audit — agent-trust-hub — fastmoss-ads