scrape-codegen-analyze

Pass

Audited by Gen Agent Trust Hub on Jun 27, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and analyzes untrusted HTML content provided via the page_html_path argument.
  • Ingestion points: The raw HTML content from the target page is read and processed by the agent to determine extraction rules.
  • Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore or isolate potentially malicious instructions embedded within the HTML (e.g., text content or HTML comments designed to mislead the AI).
  • Capability inventory: The skill has access to Bash (executing local scripts), Read, and Write tools, which could be leveraged if an injection attack successfully influences the agent's behavior.
  • Sanitization: While the skill mentions "cleaning" the HTML, this process is for structure (stripping tags) rather than security filtering of malicious natural language instructions.
  • [COMMAND_EXECUTION]: The skill executes shell commands (mkdir, uv run) using the Bash tool that interpolate user-supplied arguments such as work_path and page_id. This creates a surface for command injection if the input strings are not strictly validated or sanitized by the platform before being passed to the shell.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 27, 2026, 05:23 AM
Security Audit — agent-trust-hub — scrape-codegen-analyze