skills/supadata-ai/skills/supadata/Gen Agent Trust Hub

supadata

Pass

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill includes bash scripts (poll-job.sh, scrape.sh, transcript.sh) that perform network requests and data processing using curl and jq. Analysis of these scripts shows they correctly handle arguments and user-provided URLs using array-based execution and URL-encoding where appropriate.\n- [EXTERNAL_DOWNLOADS]: The skill communicates with the official API at api.supadata.ai to retrieve transcripts and web content. These connections are intended and necessary for the skill's functionality.\n- [PROMPT_INJECTION]: The skill fetches data from external sources like video transcripts and web pages, which poses a potential surface for indirect prompt injection if those sources contain malicious instructions for the LLM. This is an inherent property of tools designed to bring external content into an AI's context. No malicious logic was found in the skill's own code.\n
  • Ingestion points: The scripts scrape.sh and transcript.sh output content from external URLs directly to the agent.\n
  • Boundary markers: The instructions do not currently include explicit boundary markers or instructions for the agent to disregard content from these sources.\n
  • Capability inventory: The skill uses curl, jq, and standard shell utilities.\n
  • Sanitization: External content is not sanitized before being returned to the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
May 18, 2026, 10:03 PM
Security Audit — agent-trust-hub — supadata