search-and-fetch
Warn
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation in references/tool-catalog.md instructs the agent to install crawl4ai via pip and agent-browser via npm if they are missing. These are unversioned installations from public registries, which introduces a supply chain risk.
- [COMMAND_EXECUTION]: The skill defines and uses several CLI tools (crwl, agent-browser, ctx7) and provides specific command sequences for their operation, including post-installation setup commands like agent-browser install.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it fetches and analyzes arbitrary web content without explicit sanitization or boundary markers to isolate instructions within that content.
- Ingestion points: External data enters the agent context through the crwl and agent-browser tools as defined in SKILL.md and references/tool-catalog.md.
- Boundary markers: There are no explicit instructions or delimiters defined to prevent the agent from obeying instructions embedded within the fetched content.
- Capability inventory: The skill provides significant capabilities, including web browsing (agent-browser), document searching (ctx7), and general web search, which could be abused if an injection is successful.
- Sanitization: There is no evidence of content sanitization or validation before the extracted text is processed for analysis.
Audit Metadata