llm-wiki
Fail
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The script
scripts/fetch-x.shmanages browser session cookies stored at~/.config/llm-wiki/x-profile/cookies.json. It includes a command to harvest cookies from a running Chrome instance usingagent-browser --auto-connect cookies. Handling and storing session cookies for external services represents a significant credential management risk.\n- [COMMAND_EXECUTION]: The skill utilizes several shell and Python scripts (scripts/setup.sh,scripts/connect-obsidian.sh,scripts/fetch-x.sh) to perform file system operations, directory creation, and interactive browser control via theagent-browsertool. These scripts process user-provided paths and arguments to manage the wiki infrastructure.\n- [EXTERNAL_DOWNLOADS]: The skill performs network requests toapi.vxtwitter.com(a third-party service) to retrieve tweet content. Additionally,scripts/download-images.pydownloads image files from arbitrary, unverified URLs provided through standard input.\n- [PROMPT_INJECTION]: The skill ingests untrusted data from external websites and social media platforms to update its persistent wiki files, creating an indirect prompt injection surface.\n - Ingestion points:
scripts/extract-html.py(local HTML files) andscripts/fetch-x.sh(external X/Twitter content).\n - Boundary markers: Absent. The instructions do not specify the use of delimiters or 'ignore' instructions for the ingested text during the wiki update process.\n
- Capability inventory: File system write access (wiki updates), network communication, and script execution capabilities.\n
- Sanitization: Absent. The scripts extract and pass text content without sanitizing or escaping potential prompt injection payloads that might be embedded in the source material.
Recommendations
- AI detected serious security threats
Audit Metadata