web-clipper
Fail
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The
scripts/bootstrap.shscript attempts to gain administrative privileges by executingsudo -nto perform package updates and installations on Linux systems. This behavior allows the skill to modify the operating system's configuration without explicit interactive user approval. - [EXTERNAL_DOWNLOADS]: The skill's setup process triggers automated downloads and installations of software packages (Python 3) from various sources such as Homebrew, APT, DNF, Winget, and Chocolatey. This introduces external dependencies that are managed outside of the skill's own environment.
- [REMOTE_CODE_EXECUTION]: By automating the installation of external executables through system-level package managers, the skill effectively executes remote code (the packages being installed). This is initiated via
scripts/bootstrap.sh, which is called by the main wrapper. - [PROMPT_INJECTION]: The skill parses content from arbitrary external websites via
scripts/clip_articles.py. There are no safeguards, such as boundary markers or filtering for instruction-like patterns, to prevent the agent from following malicious instructions embedded in the crawled webpages (Indirect Prompt Injection). - Ingestion points:
clipper.fetch(url)inscripts/clip_articles.py - Boundary markers: Absent
- Capability inventory: Filesystem write (
Path.write_text), Network access (urllib.request.urlopen) - Sanitization: Minimal (HTML parsing and regex cleanup of whitespace/meta tags)
- [CREDENTIALS_UNSAFE]: The skill requires a third-party API key (
METASO_API_KEY) for certain operations. While it correctly retrieves this from environment variables, the instructions advise users to store it in potentially insecure locations like shell profiles or configuration files.
Recommendations
- AI detected serious security threats
Audit Metadata