Skills
skills/mvanhorn/last30days-skill/last30days/Gen Agent Trust Hub

last30days

Fail

Audited by Gen Agent Trust Hub on May 10, 2026

Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill contains comprehensive logic for harvesting sensitive authentication cookies from multiple web browsers.
  • scripts/lib/chrome_cookies.py copies local database files and attempts to decrypt session tokens using keys retrieved from the macOS Keychain.
  • scripts/lib/safari_cookies.py extracts cookies from the Safari binary cookie file.
  • scripts/lib/cookie_extract.py provides cross-platform discovery for Firefox browser profiles, including support for Windows profiles accessed via WSL.
  • This capability allows the skill to capture sensitive session tokens that could provide unauthorized access to user accounts.
  • [COMMAND_EXECUTION]: The skill relies extensively on the execution of external binaries and system utilities via subprocesses.
  • It executes security find-generic-password to access the macOS Keychain and openssl for cookie decryption.
  • It uses node to execute a vendored JavaScript search client for X/Twitter data retrieval.
  • It invokes gh auth token to retrieve GitHub credentials and yt-dlp for video metadata collection.
  • [EXTERNAL_DOWNLOADS]: The skill contains logic to modify the user's system environment by downloading external dependencies.
  • scripts/lib/setup_wizard.py automatically executes brew install yt-dlp if the YouTube downloader is missing from the system path.
  • [PROMPT_INJECTION]: SKILL.md uses adversarial framing, such as 'LAWS' and 'CONTRACTS', to override the default safety guidelines and operational protocols of the AI agent.
  • The instructions explicitly command the agent to disregard requirements from other tools, such as the mandatory citation format for the WebSearch tool.
  • The skill processes untrusted third-party content from social media platforms, creating a vulnerability surface for indirect prompt injection.
  • [CREDENTIALS_UNSAFE]: The skill accesses highly sensitive credential stores and hardcodes authentication tokens.
  • It uses the security utility to retrieve the Chrome Safe Storage key from the system keychain.
  • scripts/lib/vendor/bird-search/lib/twitter-client-base.js contains a hardcoded Twitter bearer token.
  • The skill also reads from various local credential files, including ~/.codex/auth.json.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 10, 2026, 11:28 PM