web-scraping
Fail
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill instructions require reading local credentials and sending them to an external server.
- Evidence: The skill reads sensitive data from
~/.gooseworks/credentials.jsonto extract an API key. - Evidence: The extracted key is subsequently transmitted to
api.gooseworks.aivia the Authorization header in multiplecurlcommands. - [COMMAND_EXECUTION]: The skill uses dynamic scripting and shell commands to manage configuration and communicate with APIs.
- Evidence: It executes
python3 -cwith a dynamically generated string to parse JSON files from the file system. - Evidence: It relies on
curlfor all primary scraping and automation functions. - [EXTERNAL_DOWNLOADS]: The skill references external execution patterns.
- Evidence: It directs the user to run
npx gooseworks login, which downloads and executes remote code from an unverified source to establish credentials. - [PROMPT_INJECTION]: The skill presents a significant surface for indirect prompt injection attacks.
- Ingestion points: The skill fetches data from any user-provided or agent-discovered URL using tools like Scrapegraph, Olostep, and Riveter.
- Boundary markers: No delimiters or 'ignore' instructions are used to separate scraped content from the agent's core instructions.
- Capability inventory: The skill possesses high-privilege capabilities including full browser automation, captcha solving, and autonomous multi-step agent tasks.
- Sanitization: There is no evidence of validation or sanitization of scraped content before it is processed by the LLM, allowing external website content to potentially override agent behavior.
Recommendations
- AI detected serious security threats
Audit Metadata