webcrawler-deep-crawl
Warn
Audited by Gen Agent Trust Hub on Jul 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses a pattern of dynamic code assembly where Python scripts generate JavaScript strings that are subsequently executed in the browser context via the
browser-acttool'sevalsubcommand. This behavior is found indiscover-links.py,discover-llms-txt.py,discover-sitemap.py, andextract-page-content.py. Additionally, the skill instructions suggest the use of bash subshells to invoke these scripts, increasing the complexity of command execution. - [PROMPT_INJECTION]: The skill processes untrusted data from external websites and incorporates it into the agent's context, creating a surface for indirect prompt injection attacks.
- Ingestion points: The
extract-page-content.pyscript retrieves text, markdown, and HTML from arbitrary URLs. - Boundary markers: None. Extracted website content is returned as raw strings within JSON records without delimiters or instructions to ignore embedded commands.
- Capability inventory: The agent possesses capabilities to navigate the browser, execute scripts, and write files to the local system.
- Sanitization: No filtering or sanitization of the extracted web content is performed to neutralize potential malicious instructions.
- [DATA_EXFILTRATION]: The discovery scripts
discover-llms-txt.pyanddiscover-sitemap.pyperform network requests using the browser'sfetchAPI withcredentials: 'include'. This allows the skill to retrieve and extract data from authenticated sessions if the user is currently logged into the target site, which could lead to unauthorized data exposure if the agent is directed to crawl sensitive internal resources.
Audit Metadata