scrape-zyte-login
Pass
Audited by Gen Agent Trust Hub on Jun 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell commands to check for the existence of environment variables and to open the vendor's setup website in a browser.
- [COMMAND_EXECUTION]: The skill sources or executes local files (
zyte-keys.txtorzyte-keys.ps1) based on paths provided by the user. While this is the intended method for loading credentials from the vendor, it involves dynamic execution of local file content. - [COMMAND_EXECUTION]: The skill interpolates user-provided data (Project ID) into a shell command to save it to a local file (
echo "PROJECT_ID" > .scrape/.zyte/project-id). This ingestion point lacks boundary markers or sanitization, creating a surface for indirect prompt injection where shell metacharacters could influence command execution. - [EXTERNAL_DOWNLOADS]: The skill instructs the user to download configuration files from the vendor's official domain (
app.zyte.com). As this is the verified domain of the service provider, the reference is considered part of the primary skill function.
Audit Metadata