press-release-generator

Fail

Audited by Gen Agent Trust Hub on Jun 21, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses subprocesses to automate data extraction tasks.
  • Step 2A uses a python3 heredoc to parse the local docs/learning-graph/book-metrics.json file.
  • Step 2B utilizes a shell pipeline (curl | grep | sed) to extract URL locations from an XML sitemap.
  • [EXTERNAL_DOWNLOADS]: The skill performs network requests to external domains provided by the user (or templates) using curl. While intended to fetch sitemaps for content discovery, this involves connecting to non-whitelisted URLs.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) due to its data ingestion patterns.
  • Ingestion points: Untrusted data is retrieved from external websites and sitemaps via curl, as well as from local repository files like mkdocs.yml.
  • Boundary markers: The skill does not employ explicit delimiters or instructions to ignore malicious content within the fetched data.
  • Capability inventory: The environment allows execution of shell commands (curl, grep, sed) and python3 scripts.
  • Sanitization: There is no logic present to sanitize or validate the content of the retrieved sitemaps or web pages before they are used to influence the agent's output.
Recommendations
  • HIGH: Downloads and executes remote code from: https://SITE/sitemap.xml - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 21, 2026, 03:36 PM
Security Audit — agent-trust-hub — press-release-generator