clone-website

Pass

Audited by Gen Agent Trust Hub on May 5, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted content from external websites via Firecrawl to generate code, creating an attack surface where malicious content on a target site could influence the agent's code generation.
  • Ingestion points: External URLs are scraped using the firecrawl-mcp___firecrawl_scrape tool as defined in Phase 1 of SKILL.md.
  • Boundary markers: The skill implements a mandatory 'Phase 2: Analysis' where a report based on references/analysis-template.md must be approved by the user before code is generated. While this provides a human-in-the-loop checkpoint, there are no explicit instructions for the agent to ignore hidden commands within the scraped HTML/Markdown.
  • Capability inventory: The skill can create a full Next.js project structure, write multiple code files (app/page.tsx, components/landing/*.tsx), and perform network requests to download images via fetch as specified in the Image Handling section of SKILL.md.
  • Sanitization: There is no explicit sanitization or filtering of the scraped content mentioned in the instructions before it is used for component generation.
  • [EXTERNAL_DOWNLOADS]: The skill fetches images from arbitrary URLs discovered during the scraping process. It also uses Unsplash as a fallback service, which is a well-known and reputable image provider.
  • [COMMAND_EXECUTION]: The documentation in references/tech-stack.md references the use of npx shadcn@latest add to install UI components. These are standard commands for the referenced technology stack and represent intended developer workflow rather than malicious execution.
Audit Metadata
Risk Level
SAFE
Analyzed
May 5, 2026, 08:23 PM
Security Audit — agent-trust-hub — clone-website