fastmoss-creators
Pass
Audited by Gen Agent Trust Hub on Jul 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill interacts with a local daemon (
kimi-webbridge) athttp://127.0.0.1:10086to automate browser tasks, including navigating to specific URLs and executing JavaScript code for data extraction. - [EXTERNAL_DOWNLOADS]: The scraper scripts (
creator_scraper.py,creator_filtered.py) target various ranking and search pages onfastmoss.comto retrieve influencer data. - [DATA_EXFILTRATION]: Extracted data, such as creator IDs, names, and performance metrics, is saved to local CSV and Markdown files. This is consistent with the skill's stated purpose of data analysis.
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection as it processes external data from
fastmoss.comand includes it in reports seen by the agent. - Ingestion points: Table data (creator names, categories, metrics) from
fastmoss.comrankings extracted inscripts/creator_scraper.pyandscripts/creator_filtered.py. - Boundary markers: None; data is directly interpolated into a Markdown template in
scripts/analyze.pyusing Python's.format()method. - Capability inventory: The skill can navigate the browser, evaluate JS in page context, and write results to the local filesystem.
- Sanitization: No content-level sanitization is performed on the scraped data before it is included in the generated report;
sanitize_headeronly cleans CSV headers.
Audit Metadata