Trust Assessment
social-media-agent received a trust score of 82/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Nested Prompt Injection via `sessions_spawn` with untrusted input, Broad web access capabilities via `browser` and `web_fetch`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Nested Prompt Injection via `sessions_spawn` with untrusted input The skill describes spawning a `content-agent` using `sessions_spawn` and feeding it "research results" obtained via `web_fetch` from external news sites. These "research results" are untrusted external content. If this content is directly passed as instructions or context to the spawned `content-agent` (which is likely an LLM), it creates a nested prompt injection vulnerability. An attacker could embed malicious instructions in a news article that, when fetched and passed to the `content-agent`, could manipulate its behavior, cause it to perform unintended actions, or potentially escalate privileges if the spawned agent inherits broad permissions. Implement strict input sanitization and validation for "research results" before passing them to the spawned agent. Ensure the spawned agent operates in a highly sandboxed environment with minimal permissions. Consider using a structured data format for passing information to the sub-agent rather than raw text that could be interpreted as instructions. Explicitly define the `content-agent`'s capabilities and ensure it cannot access sensitive tools or data. | LLM | SKILL.md:49 | |
| MEDIUM | Broad web access capabilities via `browser` and `web_fetch` The skill explicitly lists `browser` and `web_fetch` as core tools, enabling general web interaction (navigation, typing, clicking) and scraping of arbitrary URLs. While the skill's stated purpose is benign (X/Twitter automation, news research), these tools grant broad access to the internet. A malicious user prompt could instruct the agent to navigate to malicious websites, interact with sensitive user accounts (if logged in), or fetch data from internal network resources (if accessible to the agent's environment), potentially leading to data exfiltration, account compromise, or other attacks. The skill does not implement any URL allow-listing or sandboxing for these powerful tools. Implement strict URL allow-listing for `browser` and `web_fetch` tools, limiting access only to necessary domains (e.g., x.com, specified news sites). Ensure the agent operates in a sandboxed environment with no access to sensitive local files or internal network resources. Consider requiring explicit user confirmation for actions on sensitive domains, especially those involving authentication or data submission. | LLM | SKILL.md:13 |
Scan History
Embed Code
[](https://skillshield.io/report/c2b6541beca0853f)
Powered by SkillShield