Skills
skills/kundeng/bayeslearner-skills/wise-scraper/Gen Agent Trust Hub

wise-scraper

Warn

Audited by Gen Agent Trust Hub on Apr 5, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses shell command execution primitives to interact with the system and external browser tools. Specifically, it calls the agent-browser CLI to perform navigation and DOM operations.
  • Evidence: references/runner/src/browser.ts (execSync), examples/splunk-itsi-admin/run.mjs (execSync), and examples/revspin/run_revspin_durable.py (subprocess.run).
  • [DYNAMIC_EXECUTION]: The runner frequently constructs and executes dynamic JavaScript strings within the browser context to extract data. It also allows for the dynamic loading of local JavaScript/TypeScript modules to extend functionality via a hook system.
  • Evidence: references/runner/src/browser.ts (eval), references/runner/src/engine.ts (evalJson), and references/runner/src/hooks.ts (dynamic import).
  • [EXTERNAL_DOWNLOADS]: The skill requires and provides instructions for installing external dependencies, including browser automation tools.
  • Evidence: Guidance to install @anthropic-ai/agent-browser in README.md and references/runner/src/browser.ts.
  • [PROMPT_INJECTION]: As a scraping tool, the skill is designed to ingest untrusted data from external websites. This extracted content is then processed and formatted for the AI agent, creating a surface for indirect prompt injection.
  • Ingestion points: references/runner/src/engine.ts extracts content from arbitrary URLs.
  • Boundary markers: Extracted content is interpolated into records without explicit delimiters or instructions to ignore embedded commands.
  • Capability inventory: The runner possesses shell execution and dynamic JS evaluation capabilities.
  • Sanitization: references/runner/src/processing.ts performs minimal sanitization by removing script and style tags, but essentially prepares the data for agent consumption.
  • [DATA_EXFILTRATION]: The skill's primary function is data extraction. While intended for scraping, the combination of network access, browser control, and file writing represents a data exfiltration pattern if used with malicious profiles.
  • Evidence: references/runner/src/run.ts writes extracted data to local storage.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 5, 2026, 06:15 PM