search-web
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes bash scripts (scripts/detect.sh and scripts/setup-mcp.sh) to automate environment detection and the configuration of MCP servers. These scripts interact with the host system and modify the AI agent's configuration files such as settings.json or config.toml.
- [EXTERNAL_DOWNLOADS]: During the setup process, the skill uses npx to fetch and execute MCP server packages from the npm registry, including @upstash/context7-mcp and mcp-deepwiki. These are well-known tools provided by established technology vendors.
- [SAFE]: Secret management for API keys is handled by prompting the user and storing the keys in a dedicated local directory (~/.config/search-web/credentials/). This follows standard practices for secret persistence in a local agent environment.
- [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection because it ingests and processes content from external websites and GitHub repositories. 1. Ingestion points: Data enters the agent's context through the output of the Exa, Context7, DeepWiki, and github-fetcher tools. 2. Boundary markers: The output is structured with Markdown headers and source labels, but there are no specific programmatic delimiters or instructions to the agent to ignore potentially malicious commands embedded in search results. 3. Capability inventory: The skill has the ability to execute shell scripts, write to the local filesystem, and perform remote data retrieval. 4. Sanitization: The skill scripts do not implement automated filtering or escaping of the content retrieved from external sources.
Audit Metadata