fastmoss-creators

Pass

Audited by Gen Agent Trust Hub on Jul 6, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill interacts with a local daemon (kimi-webbridge) at http://127.0.0.1:10086 to automate browser tasks, including navigating to specific URLs and executing JavaScript code for data extraction.
  • [EXTERNAL_DOWNLOADS]: The scraper scripts (creator_scraper.py, creator_filtered.py) target various ranking and search pages on fastmoss.com to retrieve influencer data.
  • [DATA_EXFILTRATION]: Extracted data, such as creator IDs, names, and performance metrics, is saved to local CSV and Markdown files. This is consistent with the skill's stated purpose of data analysis.
  • [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection as it processes external data from fastmoss.com and includes it in reports seen by the agent.
  • Ingestion points: Table data (creator names, categories, metrics) from fastmoss.com rankings extracted in scripts/creator_scraper.py and scripts/creator_filtered.py.
  • Boundary markers: None; data is directly interpolated into a Markdown template in scripts/analyze.py using Python's .format() method.
  • Capability inventory: The skill can navigate the browser, evaluate JS in page context, and write results to the local filesystem.
  • Sanitization: No content-level sanitization is performed on the scraped data before it is included in the generated report; sanitize_header only cleans CSV headers.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 6, 2026, 09:23 AM
Security Audit — agent-trust-hub — fastmoss-creators