Skills
skills/athina-ai/goose-skills/tech-stack-teardown/Gen Agent Trust Hub

tech-stack-teardown

Pass

Audited by Gen Agent Trust Hub on Apr 11, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/recon.py executes system commands dig and curl to gather DNS records and website HTML. The implementation uses list-based arguments without a shell, which prevents command injection from user-supplied domain names.
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of requests and python-dotenv Python packages via pip. It also interacts with the Apify API for technology profiling, which is a well-known service.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted HTML content from target websites.
  • Ingestion points: scripts/recon.py (fetches website source code via curl).
  • Boundary markers: Absent; the agent is directed to present findings based on the scraped content without specific delimiters or instructions to ignore potential commands embedded in the source code.
  • Capability inventory: Subprocess execution (dig, curl), network requests (requests to Apify), and file system writing (via the --output flag).
  • Sanitization: The script performs regex-based extraction for specific technology signatures but provides the broader results to the agent for summarization and assessment.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 11, 2026, 04:25 PM