substack
Fail
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documentation references the use of a
geminicommand-line tool with the flag--approval-mode yolo. This flag explicitly instructs the agent to bypass user approval for code generation and execution, which is a high-risk instruction that overrides standard safety protocols. - [PROMPT_INJECTION]: The inclusion of the 'yolo' mode instruction acts as a behavioral override, attempting to remove constraints and confirmation steps during the automated generation of code.
- [REMOTE_CODE_EXECUTION]: The skill executes various local Python scripts (
chat_check.py,post_note.py, etc.) through subprocess calls. It also utilizes the Playwright library to render HTML files and take screenshots at runtime. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its processing of external Substack chat threads.
- Ingestion points: Data enters the context from the
chat_check.py detectcommand in SKILL.md, which fetches external chat content. - Boundary markers: While the skill includes instructions to pause for user confirmation, it lacks technical delimiters to separate untrusted chat data from the system's instructions.
- Capability inventory: The skill has capabilities to execute shell commands, manage local files, and interact with the Substack API (create, delete, and publish posts).
- Sanitization: No evidence of input validation or sanitization of the retrieved chat content was found.
Recommendations
- AI detected serious security threats
Audit Metadata