google-maps-contact-extract

Pass

Audited by Gen Agent Trust Hub on Jul 9, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructions direct the agent to invoke Python scripts that print JavaScript code to standard output, which is then executed via shell evaluation: eval "$(python scripts/xxx.py {params})". This pattern of dynamic code generation and execution is used for browser automation but represents a higher-privilege execution model than static scripts.
  • [PROMPT_INJECTION]: The skill's primary function is to ingest and process data from external, untrusted sources including Google Maps search results and third-party business websites. This creates a surface for indirect prompt injection attacks.
  • Ingestion points: The scripts extract-contacts.py, place-detail.py, and search-places.py read content directly from the DOM of navigated web pages.
  • Boundary markers: Data is returned to the agent in structured JSON format, which provides a syntactic boundary, but there are no explicit instructions for the agent to ignore or isolate instructions that might be embedded within the scraped business descriptions or website text.
  • Capability inventory: The skill allows the agent to navigate to arbitrary URLs, execute JavaScript in the browser context, and write persistent memory files to the local disk.
  • Sanitization: While the Python scripts perform basic escaping on search keywords to prevent JavaScript syntax errors, the text scraped from external websites is not sanitized or filtered for malicious prompt content before being returned to the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 9, 2026, 11:21 AM
Security Audit — agent-trust-hub — google-maps-contact-extract