scrape-analyze-page

Pass

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted HTML data without proper boundary markers or semantic filtering.
  • Ingestion points: The primary input is a local HTML file (PAGE.html) and metadata extracted from it.
  • Boundary markers: None. The instructions do not direct the agent to ignore instructions embedded within the processed content.
  • Capability inventory: The skill has high privileges including Bash, Read, and Write access.
  • Sanitization: scripts/clean_html.py removes active script tags (<script>) and event handler attributes (on*), which prevents traditional XSS but does not address natural language instructions designed to manipulate the LLM.
  • [COMMAND_EXECUTION]: Potential for command injection through shell interpolation.
  • The Process section in SKILL.md instructs the agent to execute uv run ... PAGE.html. If the agent does not properly escape the file path or the PAGE_URL placeholder when constructing the shell command, it could lead to arbitrary command execution if a user provides a maliciously crafted filename.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 26, 2026, 03:33 PM
Security Audit — agent-trust-hub — scrape-analyze-page