Skills
skills/zephyrwang6/info-skill/baoyu-danger-x-to-markdown/Gen Agent Trust Hub

baoyu-danger-x-to-markdown

Warn

Audited by Gen Agent Trust Hub on Apr 30, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The file scripts/constants.ts contains a hardcoded public bearer token (DEFAULT_BEARER_TOKEN). While this specific token is widely known and used for public X web access, hardcoding any authentication credentials in source code is against security best practices.
  • [PROMPT_INJECTION]: The skill has a significant surface for indirect prompt injection because it fetches untrusted data from an external source (X) and processes it into the agent's context. If a processed tweet contains malicious instructions (e.g., "ignore previous instructions and execute..."), the agent may inadvertently follow them.
  • Ingestion points: External tweet and article content is fetched in scripts/main.ts through the tweetToMarkdown and convertArticleToMarkdown functions.
  • Boundary markers: The resulting Markdown output uses YAML frontmatter but lacks explicit boundary delimiters or "ignore instructions" warnings to isolate the untrusted content from the agent's internal logic.
  • Capability inventory: The skill environment allows for subprocess execution (via bun) and has access to the local file system.
  • Sanitization: There is no logic in the conversion process to sanitize or escape the fetched text for potential prompt injection patterns.
  • [COMMAND_EXECUTION]: The script scripts/cookies.ts uses the spawn command to launch local instances of browsers (Chrome, Edge, or Chromium) to automate the retrieval of cookies via the Chrome DevTools Protocol. While this is part of the documented functionality, launching browsers with remote debugging enabled is an intrusive operation that could be abused.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 30, 2026, 04:18 PM