scrape-zyte-login

Pass

Audited by Gen Agent Trust Hub on Jun 27, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses shell commands to check for the existence of environment variables and to open the vendor's setup website in a browser.
  • [COMMAND_EXECUTION]: The skill sources or executes local files (zyte-keys.txt or zyte-keys.ps1) based on paths provided by the user. While this is the intended method for loading credentials from the vendor, it involves dynamic execution of local file content.
  • [COMMAND_EXECUTION]: The skill interpolates user-provided data (Project ID) into a shell command to save it to a local file (echo "PROJECT_ID" > .scrape/.zyte/project-id). This ingestion point lacks boundary markers or sanitization, creating a surface for indirect prompt injection where shell metacharacters could influence command execution.
  • [EXTERNAL_DOWNLOADS]: The skill instructs the user to download configuration files from the vendor's official domain (app.zyte.com). As this is the verified domain of the service provider, the reference is considered part of the primary skill function.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 27, 2026, 05:23 AM
Security Audit — agent-trust-hub — scrape-zyte-login