headless-web-scraping
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from external websites.
- Ingestion points: External content is retrieved in SKILL.md via Fetcher.get() and extracted using response.get_all_text() or response.find() in the Python code blocks.
- Boundary markers: The instructions do not define clear delimiters or use 'ignore' markers to isolate scraped content from the agent's command context.
- Capability inventory: The skill allows the use of Bash, Read, and Write tools (specified in SKILL.md frontmatter), which could be targeted if the agent obeys instructions found within scraped web pages.
- Sanitization: No content filtering or validation is implemented for the data retrieved from remote sources.
- [EXTERNAL_DOWNLOADS]: The skill requires external dependencies and binaries.
- Evidence: The skill instructions suggest installing the scrapling Python package (a vendor-owned resource) and Playwright browser binaries via 'python -m playwright install chromium'. These are standard requirements for the skill's intended functionality.
Audit Metadata