xuanim-api
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes local utility scripts in JavaScript, PHP, Python, and Bash (
scripts/sign.*) to calculate API request signatures. These scripts use standard system libraries for MD5 hashing and are provided as development aids for generating valid API tokens. - [PROMPT_INJECTION]: The skill defines methods for retrieving user-controlled data from an external IM service (such as user names and group titles). While this creates a potential surface for indirect prompt injection if the retrieved content is later processed by an agent without sanitization, the skill itself focuses on the technical integration layer and does not implement unsafe data interpolation.
- [SAFE]: This is a developer-oriented skill for integrating with the XuanXuan IM platform. It follows security best practices by using placeholders for credentials in documentation and ensuring that network request examples (using
fetch) are configured to omit sensitive credentials.
Audit Metadata