scrape-review-schema
Pass
Audited by Gen Agent Trust Hub on Jun 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill creates a feedback loop where untrusted data from scraped websites is returned to the agent.
- Ingestion points: In
SKILL.md(Steps 1 and 4), the agent reads metadata and HTML files from external sources. - Boundary markers: Absent. Step 7 in
SKILL.mdinstructs the agent to read the feedback file (cat "${FEEDBACK_FILE}") and return the resulting text to the caller without any validation or delimiters to separate the untrusted feedback from the agent's instructions. - Capability inventory: The agent has the ability to execute shell commands (Bash), start a local Python server, and read/write files.
- Sanitization: The review interface in
assets/review.js(line 313) renders scraped HTML in an iframe withsandbox="allow-same-origin". Since the scraped content and the review tool share the same origin (the temporary directory), a malicious script in the scraped data could bypass the sandbox to interact with the parent window, modify theAGENT_URL, or spoof feedback sent to the agent. - [COMMAND_EXECUTION]: The skill uses the Bash tool to execute several commands, including starting a background Python process (
scripts/feedback-server.py). The server implementation usesAccess-Control-Allow-Origin: *, which allows any website visited by the user to send POST requests to the local feedback server, potentially injecting instructions or data into the agent's context if the local port is discovered.
Audit Metadata