shorten
Pass
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill performs network requests to
https://is.gd/create.phpto generate shortened URLs. This interaction targets a well-known public service and aligns with the skill's stated functionality. - [COMMAND_EXECUTION]: The skill executes a local shell script (
shorten.sh) that utilizes thecurlcommand-line tool. The script correctly handles user input by using--data-urlencode, which prevents the input from interfering with the shell command or injecting additional HTTP parameters. - [INDIRECT_PROMPT_INJECTION]: The skill accepts user-provided URLs as input for processing.
- Ingestion points: User input is received as a command-line argument in
shorten.sh. - Boundary markers: Not applicable as the input is passed directly to the script argument.
- Capability inventory: The skill is limited to making an HTTP POST request to a single hardcoded endpoint.
- Sanitization: The use of
curl --data-urlencodeensures that the URL input is treated as data and cannot be used to execute arbitrary commands or modify the intended API call.
Audit Metadata