carnivore-fetch
Warn
Audited by Gen Agent Trust Hub on Jul 5, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads a Docker image
ghcr.io/kfstorm/carnivore:latestfrom the GitHub Container Registry. This is a vendor-owned resource managed by the skill author. - [COMMAND_EXECUTION]: The bundled script executes
docker runto perform its tasks. It allows for advanced configuration via theCARNIVORE_DOCKER_ARGSenvironment variable, which permits passing arbitrary flags to the Docker daemon. Users should ensure the execution environment is restricted to prevent misuse of these privileges. - [PROMPT_INJECTION]: The skill facilitates the ingestion of data from external websites, creating a surface for indirect prompt injection attacks where malicious content on a web page could influence the agent's behavior.
- Ingestion points: The
bin/carnivore-fetchscript fetches content from user-provided URLs. - Boundary markers: No specific delimiters are mandated in the instructions for the agent to separate untrusted web content from its own instructions.
- Capability inventory: The agent can trigger Docker container execution through the provided wrapper script.
- Sanitization: The skill relies on the Carnivore extraction pipeline to produce readable Markdown, which provides some filtering of the raw source code but still presents the resulting text to the agent.
Audit Metadata