page-remake
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and analyzes data from untrusted external URLs. Malicious instructions placed on a target website could attempt to hijack the agent's logic during the analysis and reconstruction phases.
- Ingestion points: Untrusted data enters the context via the
browser_navigateandbrowser_screenshottools when visiting user-provided URLs. - Boundary markers: There are no explicit delimiters or instructions to ignore embedded commands within the analyzed website content.
- Capability inventory: The skill has the ability to write multiple files (BRAND-ANALYSIS.md, SITE.md, and codebase components) and perform network operations via Playwright.
- Sanitization: No validation or filtering is performed on the content retrieved from the external URLs before it is processed by the LLM.
- [DATA_EXFILTRATION]: The skill's design enables a form of information exposure through SSRF-like behavior. It navigates to any user-provided URL and automatically saves a screenshot to a public directory.
- Evidence: Instructions in the 'Phase 1: Screenshot the Original' section specify saving captures to
public/references/original-[sitename]-[date].png. - Risk: An attacker could provide URLs for internal network services or local metadata endpoints (e.g., localhost or cloud metadata services). The agent would screenshot these private interfaces and place the images in a potentially web-accessible folder (
public/), leading to the exposure of sensitive internal information.
Audit Metadata