hormuz-strait
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill uses
curlto fetch data fromhttps://hormuzstraitmonitor.com/api/dashboard. This involves network communication with an external domain not included in the standard whitelists. - [COMMAND_EXECUTION]: The skill utilizes the
curlshell command to perform data retrieval from its remote dashboard API. - [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection by ingesting and presenting untrusted data from a remote API.
- Ingestion points: External data is retrieved from the dashboard API at
https://hormuzstraitmonitor.com/api/dashboardas defined in theSKILL.mdandreferences/api_schema.mdfiles. - Boundary markers: Absent. The skill instructions do not provide the agent with delimiters or specific warnings to ignore instructions potentially embedded in fields such as news headlines, summaries, or diplomatic updates.
- Capability inventory: No high-risk capabilities such as arbitrary code execution (eval/exec) or file system writes are present; the skill is limited to reading and formatting data.
- Sanitization: Absent. The skill does not specify any validation, escaping, or filtering for the retrieved API content before it is processed by the agent.
Audit Metadata