scrape-analyze-page
Pass
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted HTML data without proper boundary markers or semantic filtering.
- Ingestion points: The primary input is a local HTML file (
PAGE.html) and metadata extracted from it. - Boundary markers: None. The instructions do not direct the agent to ignore instructions embedded within the processed content.
- Capability inventory: The skill has high privileges including
Bash,Read, andWriteaccess. - Sanitization:
scripts/clean_html.pyremoves active script tags (<script>) and event handler attributes (on*), which prevents traditional XSS but does not address natural language instructions designed to manipulate the LLM. - [COMMAND_EXECUTION]: Potential for command injection through shell interpolation.
- The
Processsection inSKILL.mdinstructs the agent to executeuv run ... PAGE.html. If the agent does not properly escape the file path or thePAGE_URLplaceholder when constructing the shell command, it could lead to arbitrary command execution if a user provides a maliciously crafted filename.
Audit Metadata