carnivore-fetch

Warn

Audited by Gen Agent Trust Hub on Jul 5, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill downloads a Docker image ghcr.io/kfstorm/carnivore:latest from the GitHub Container Registry. This is a vendor-owned resource managed by the skill author.
  • [COMMAND_EXECUTION]: The bundled script executes docker run to perform its tasks. It allows for advanced configuration via the CARNIVORE_DOCKER_ARGS environment variable, which permits passing arbitrary flags to the Docker daemon. Users should ensure the execution environment is restricted to prevent misuse of these privileges.
  • [PROMPT_INJECTION]: The skill facilitates the ingestion of data from external websites, creating a surface for indirect prompt injection attacks where malicious content on a web page could influence the agent's behavior.
  • Ingestion points: The bin/carnivore-fetch script fetches content from user-provided URLs.
  • Boundary markers: No specific delimiters are mandated in the instructions for the agent to separate untrusted web content from its own instructions.
  • Capability inventory: The agent can trigger Docker container execution through the provided wrapper script.
  • Sanitization: The skill relies on the Carnivore extraction pipeline to produce readable Markdown, which provides some filtering of the raw source code but still presents the resulting text to the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 5, 2026, 10:20 PM
Security Audit — agent-trust-hub — carnivore-fetch