skills/ar9av/obsidian-wiki/ingest-url/Gen Agent Trust Hub

ingest-url

Warn

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes shell commands using external or environment-derived strings. Specifically, it calls defuddle <url> and git remote get-url origin. If a maliciously crafted URL or git configuration contains shell metacharacters, it could lead to arbitrary command execution on the host system.- [PROMPT_INJECTION]: The skill is designed to ingest untrusted data from the web. Although it includes an explicit 'Content Trust Boundary' section instructing the agent to treat web content as data rather than instructions, the ingestion of arbitrary HTML/Markdown remains a significant surface for indirect prompt injection attacks.- [DATA_EXFILTRATION]: The skill has the capability to read sensitive project files (e.g., package.json, .manifest.json) and perform network requests (via WebFetch or defuddle). While the primary intent is fetching a user-specified URL, a compromise via indirect prompt injection could potentially repurpose these capabilities to exfiltrate local data.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 18, 2026, 07:37 PM
Security Audit — agent-trust-hub — ingest-url