scrape-add-page-object

Pass

Audited by Gen Agent Trust Hub on Jul 7, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The SKILL.md file instructs the agent to execute a Python script using uv run. This script takes positional arguments from the agent's context and uses them to modify or create Python files within the user's project.
  • [DYNAMIC_EXECUTION]: The script scripts/add_page_object.py uses importlib.import_module() to dynamically load an item class from the local project. This is used to inspect the class using itemadapter and automatically generate appropriate @field stubs. While dynamic loading can be a risk, in this context it is used for the primary purpose of the skill (scaffolding code) and targets the local filesystem where the user is currently working.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted data (file paths and class names provided as arguments) and interpolates them into a Python script.
  • Ingestion points: Positional arguments from $ARGUMENTS in SKILL.md (e.g., file_path, class_name).
  • Boundary markers: None present; the arguments are passed directly to the shell command.
  • Capability inventory: Uses libcst to write code to the local filesystem and importlib to load local modules.
  • Sanitization: The Python script uses argparse with custom types (_fields, _import_path) to validate that input strings are valid Python identifiers or import paths before using them.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 7, 2026, 04:53 PM
Security Audit — agent-trust-hub — scrape-add-page-object