site-extract
Pass
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it fetches and processes content from arbitrary external websites.
- Ingestion points: Data is retrieved from user-provided URLs via
curlinscripts/basic-extract.shand through the Firecrawl API inscripts/firecrawl-extract.sh. - Boundary markers: The skill lacks boundary markers or instructions to ignore embedded commands; instructions in
SKILL.mdspecifically require the agent to "Preserve exact language" and "Quote, do not paraphrase." - Capability inventory: The agent can execute shell scripts, perform network operations, and write files to the local workspace.
- Sanitization: While HTML tags are stripped, the text content is not sanitized or filtered for instructions that might target the LLM.
- [EXTERNAL_DOWNLOADS]: The skill performs network requests to the Firecrawl service (
api.firecrawl.dev) and various target websites to extract brand DNA. It also downloads binary assets such as logos and screenshots from these external URLs. - [COMMAND_EXECUTION]: The skill executes local shell scripts (
scripts/basic-extract.shandscripts/firecrawl-extract.sh) that utilize standard system tools likecurl,jq,grep,sed, andpython3for data processing. - [DATA_EXFILTRATION]: The skill utilizes a
FIRECRAWL_API_KEYfor API requests toapi.firecrawl.dev. It attempts to load this credential from environment variables and common local configuration paths such as.envand~/.openclaw/credentials/firecrawl.env.
Audit Metadata