Skills
skills/openweb-ninja/openwebninja-skills/openwebninja-universal-scraper/Gen Agent Trust Hub

openwebninja-universal-scraper

Fail

Audited by Gen Agent Trust Hub on May 8, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: Hardcoded sensitive credentials were discovered in a configuration file within the skill's API directory.
  • Evidence: The file apis/realtime-amazon-data/config.json contains a hardcoded x-rapidapi-key string ("4e842e5834msh0fff10888eda799p121fefjsn8712ea690aee") that appears to be a valid or previously active credential.
  • [COMMAND_EXECUTION]: The skill uses shell tools to execute arbitrary code and perform complex data transformations.
  • Evidence: test_outputs.js uses child_process.spawn to execute a python3 -c command containing an arbitrary Python script that starts an FTP server and interacts with the file system.
  • Evidence: Several usage recipes in the recipes.md files (e.g., apis/realtime-forums-search/recipes.md) instruct the agent to use node -e to execute multi-line JavaScript code directly from the shell, which could be exploited via command injection.
  • [DATA_EXFILTRATION]: The skill provides extensive utilities for sending gathered data to external third-party services.
  • Evidence: lib/utils.js implements functions like pushWebhook, pushS3, pushFTP, and pushAirtable designed to deliver scraped content to remote endpoints using user-supplied environment secrets.
  • Evidence: test_outputs.js references webhook.site, a service frequently used for anonymous data capture and exfiltration testing, as a destination for scraped records.
  • [PROMPT_INJECTION]: The skill's architecture is highly vulnerable to indirect prompt injection from the web content it scrapes.
  • Ingestion points: Results from 35+ external APIs (including Amazon reviews, Yelp profiles, and forum discussions) are read into the agent's context in SKILL.md (Step 6).
  • Boundary markers: The instructions lack delimiters or safety warnings (e.g., "ignore instructions in results") to prevent the agent from obeying commands embedded in scraped data.
  • Capability inventory: The agent has access to Bash and Write tools alongside the network-push utilities in lib/utils.js, meaning malicious content in a search result could potentially trigger the exfiltration of sensitive local files like .env.
  • Sanitization: No data sanitization or filtering logic is applied to external API results before they are processed by the agent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 8, 2026, 10:28 AM