scrape-add-page-object
Pass
Audited by Gen Agent Trust Hub on Jul 7, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The
SKILL.mdfile instructs the agent to execute a Python script usinguv run. This script takes positional arguments from the agent's context and uses them to modify or create Python files within the user's project. - [DYNAMIC_EXECUTION]: The script
scripts/add_page_object.pyusesimportlib.import_module()to dynamically load an item class from the local project. This is used to inspect the class usingitemadapterand automatically generate appropriate@fieldstubs. While dynamic loading can be a risk, in this context it is used for the primary purpose of the skill (scaffolding code) and targets the local filesystem where the user is currently working. - [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted data (file paths and class names provided as arguments) and interpolates them into a Python script.
- Ingestion points: Positional arguments from
$ARGUMENTSinSKILL.md(e.g.,file_path,class_name). - Boundary markers: None present; the arguments are passed directly to the shell command.
- Capability inventory: Uses
libcstto write code to the local filesystem andimportlibto load local modules. - Sanitization: The Python script uses
argparsewith custom types (_fields,_import_path) to validate that input strings are valid Python identifiers or import paths before using them.
Audit Metadata