icp-onboarding
Fail
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute a shell command
npx tsx scripts/scrape-website.ts --url=[URL]using input directly from the user. This creates a high risk of command injection, where a malicious user could provide a URL containing shell metacharacters (e.g.,;,&&, or|) to run arbitrary system commands.\n- [EXTERNAL_DOWNLOADS]: Thescripts/scrape-website.tsscript uses thefetchAPI to download content from arbitrary external websites. This could be abused for Server-Side Request Forgery (SSRF) to scan internal networks or access sensitive local metadata services.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by scraping external website content and presenting it to the agent for processing.\n - Ingestion points: Web content fetched from remote URLs is saved to
/tmp/scrape.json.\n - Boundary markers: There are no instructions or delimiters to isolate the scraped content from the agent's primary instructions.\n
- Capability inventory: The skill allows shell command execution and file writes.\n
- Sanitization: The script only performs basic HTML tag removal, leaving any malicious natural language instructions intact for the agent to process.
Recommendations
- AI detected serious security threats
Audit Metadata