exploiting-broken-link-hijacking
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides instructions for using standard reconnaissance tools such as curl, dig, whois, and aws-cli to identify and verify the status of external resource references.
- [EXTERNAL_DOWNLOADS]: The workflow utilizes npx to fetch and execute the broken-link-checker utility from the npm registry, which is a standard method for running modern security tools.
- [PROMPT_INJECTION]: The agent script and workflow ingest content from target websites to extract external links. While this creates a surface for processing untrusted data, the skill uses regex for extraction and does not interpret the page content as instructions.
- [SAFE]: The Python script disables SSL certificate verification (verify=False) to facilitate auditing in diverse network environments, which is a common practice in security tooling despite being a general best-practice violation.
Audit Metadata