Skills
skills/cyranob/web-forager/competitive-intel/Gen Agent Trust Hub

competitive-intel

Warn

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses uvx and uv run to download and install third-party Python packages (web-forager and ddgs) from external registries at runtime.
  • [COMMAND_EXECUTION]: The skill relies on shell command execution to perform searches and data retrieval, specifically using uvx, uv run, and curl.
  • [COMMAND_EXECUTION]: A Python heredoc (`python
  • <<'PY'`) is used to execute a script directly within the shell. While the logic is defined within the skill, this pattern involves dynamic script execution.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection.
  • Ingestion points: External data is ingested from search results and web page content fetched via jina.ai and other tools.
  • Boundary markers: The instructions lack explicit boundary markers or delimiters to separate untrusted external content from the agent's internal logic.
  • Capability inventory: The skill has access to subprocess execution (uvx, uv, curl) across its search and fetch operations.
  • Sanitization: There is no evidence of sanitization or filtering of the external content before it is processed by the agent to generate competitive reports.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 13, 2026, 01:24 AM
Security Audit — agent-trust-hub — competitive-intel