webcrawler-deep-crawl

Warn

Audited by Gen Agent Trust Hub on Jul 9, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses a pattern of dynamic code assembly where Python scripts generate JavaScript strings that are subsequently executed in the browser context via the browser-act tool's eval subcommand. This behavior is found in discover-links.py, discover-llms-txt.py, discover-sitemap.py, and extract-page-content.py. Additionally, the skill instructions suggest the use of bash subshells to invoke these scripts, increasing the complexity of command execution.
  • [PROMPT_INJECTION]: The skill processes untrusted data from external websites and incorporates it into the agent's context, creating a surface for indirect prompt injection attacks.
  • Ingestion points: The extract-page-content.py script retrieves text, markdown, and HTML from arbitrary URLs.
  • Boundary markers: None. Extracted website content is returned as raw strings within JSON records without delimiters or instructions to ignore embedded commands.
  • Capability inventory: The agent possesses capabilities to navigate the browser, execute scripts, and write files to the local system.
  • Sanitization: No filtering or sanitization of the extracted web content is performed to neutralize potential malicious instructions.
  • [DATA_EXFILTRATION]: The discovery scripts discover-llms-txt.py and discover-sitemap.py perform network requests using the browser's fetch API with credentials: 'include'. This allows the skill to retrieve and extract data from authenticated sessions if the user is currently logged into the target site, which could lead to unauthorized data exposure if the agent is directed to crawl sensitive internal resources.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 9, 2026, 11:21 AM
Security Audit — agent-trust-hub — webcrawler-deep-crawl