scrape-review-schema

Pass

Audited by Gen Agent Trust Hub on Jun 27, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill creates a feedback loop where untrusted data from scraped websites is returned to the agent.
  • Ingestion points: In SKILL.md (Steps 1 and 4), the agent reads metadata and HTML files from external sources.
  • Boundary markers: Absent. Step 7 in SKILL.md instructs the agent to read the feedback file (cat "${FEEDBACK_FILE}") and return the resulting text to the caller without any validation or delimiters to separate the untrusted feedback from the agent's instructions.
  • Capability inventory: The agent has the ability to execute shell commands (Bash), start a local Python server, and read/write files.
  • Sanitization: The review interface in assets/review.js (line 313) renders scraped HTML in an iframe with sandbox="allow-same-origin". Since the scraped content and the review tool share the same origin (the temporary directory), a malicious script in the scraped data could bypass the sandbox to interact with the parent window, modify the AGENT_URL, or spoof feedback sent to the agent.
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to execute several commands, including starting a background Python process (scripts/feedback-server.py). The server implementation uses Access-Control-Allow-Origin: *, which allows any website visited by the user to send POST requests to the local feedback server, potentially injecting instructions or data into the agent's context if the local port is discovered.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 27, 2026, 05:23 AM
Security Audit — agent-trust-hub — scrape-review-schema