scrape-codegen-generate
Warn
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). It reads external data from multiple extraction analysis files and synthesizes them into executable Python code without sanitization or boundary markers.\n
- Ingestion points: Stage 1 analysis files in
{work_path}/codegen-analyze/and schema definitions in{spec_path}.\n - Boundary markers: Absent. The prompt instructions do not provide delimiters or warnings to ignore embedded instructions within the input JSON files.\n
- Capability inventory: The skill uses
ReadandWritetools and has access toBash.\n - Sanitization: Absent. There is no validation or escaping of the content extracted from JSON files before it is interpolated into the generated Python module.\n- [COMMAND_EXECUTION]: The skill generates Python code and writes it to an
output_pathderived from the$ARGUMENTSstring. The absence of path validation or sandboxing allows for a path traversal attack, where a user could specify sensitive locations such as shell profile directories (~/.bashrc) or cron jobs to achieve persistence or arbitrary command execution.\n- [DATA_EXFILTRATION]: The skill uses positional arguments from$ARGUMENTSto perform file read operations via theReadtool. Without validation, this presents a directory traversal surface, potentially allowing the agent to be tricked into reading sensitive local configuration files (e.g., credentials or environment variables) by providing manipulated path strings.
Audit Metadata