cmo-agent
Fail
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The instructions in
SKILL.mddirect the agent to execute a shell command for a site audit using a user-provided URL (USER_URL). Because the variable is interpolated directly into a command string within a shell-ready code block, an attacker could provide a malicious URL containing shell metacharacters (e.g.,https://example.com"; touch /tmp/pwned #) to perform command injection and execute arbitrary code on the local system.\n- [EXTERNAL_DOWNLOADS]: The skill references the installation of thelighthousecommand-line tool via thenpmpackage manager. This is documented as an optional prerequisite for performing technical performance audits and is a reference to a well-known service.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It retrieves content from user-specified external websites and passes that data into the prompts of multiple specialized agents without using robust boundary markers or sanitization.\n - Ingestion points: The skill uses
WebFetchand a custom Python script to pull HTML and metadata from the target website's homepage, pricing, and blog pages.\n - Boundary markers: The 'context bundle' described in
SKILL.mdlacks clear delimiters or instructions to the agents to disregard any malicious instructions found within the scraped content.\n - Capability inventory: The sub-agents have the ability to generate ready-to-publish articles, social media threads, and code snippets (HTML fixes and schema markup).\n
- Sanitization: No sanitization or validation of the fetched website content is performed before it is used to influence agent decisions and outputs.
Recommendations
- AI detected serious security threats
Audit Metadata