webpage-reader
Warn
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install the 'defuddle' package globally via NPM if it is not already present. This involves downloading and executing code from a third-party source that is not included in the trusted vendor list.\n- [COMMAND_EXECUTION]: The skill executes 'defuddle parse' shell commands where the URL and output file path are derived from user input. This creates a risk of command injection and arbitrary file overwrites if the agent does not strictly validate these strings.\n- [REMOTE_CODE_EXECUTION]: Running 'npm install -g defuddle' fetches and executes code from a remote registry at runtime, which is a significant execution risk from an unverifiable source.\n- [DATA_EXFILTRATION]: The skill provides capabilities to fetch data from any external URL and write to the local file system. This combination of network and file access can be abused to move sensitive data or manipulate local files.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from web pages and returns it to the agent context without proper sanitization.\n
- Ingestion points: SKILL.md, Step 3a and 3b (content extraction from external URLs).\n
- Boundary markers: Absent. The skill does not use delimiters or instructions to ignore instructions embedded within the fetched content.\n
- Capability inventory: Shell command execution, package installation, and local file writing.\n
- Sanitization: Absent. There are no instructions for the agent to sanitize or escape extracted content before processing.
Audit Metadata