scrape-codegen-analyze
Pass
Audited by Gen Agent Trust Hub on Jun 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and analyzes untrusted HTML content provided via the
page_html_pathargument. - Ingestion points: The raw HTML content from the target page is read and processed by the agent to determine extraction rules.
- Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore or isolate potentially malicious instructions embedded within the HTML (e.g., text content or HTML comments designed to mislead the AI).
- Capability inventory: The skill has access to
Bash(executing local scripts),Read, andWritetools, which could be leveraged if an injection attack successfully influences the agent's behavior. - Sanitization: While the skill mentions "cleaning" the HTML, this process is for structure (stripping tags) rather than security filtering of malicious natural language instructions.
- [COMMAND_EXECUTION]: The skill executes shell commands (
mkdir,uv run) using theBashtool that interpolate user-supplied arguments such aswork_pathandpage_id. This creates a surface for command injection if the input strings are not strictly validated or sanitized by the platform before being passed to the shell.
Audit Metadata