scrape-create-spider

Fail

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill takes user-provided arguments (specifically project_dir) and inserts them directly into a shell command (cd {project_dir} && uv run scrapy...). This lacks sanitization and could allow an attacker to execute arbitrary commands by including shell metacharacters in the argument string.
  • [REMOTE_CODE_EXECUTION]: The skill utilizes a dynamic code generation pattern where it writes a Python Scrapy spider to a file and then immediately executes that file using the uv run command. This pattern can be exploited if the generation logic is influenced by malicious input.
  • [DATA_EXFILTRATION]: The instructions in SKILL.md direct the agent to read files from ${CLAUDE_SKILL_DIR}/../scrape/references. Using .. for path traversal allows the skill to access data outside its own directory, which could be used to harvest information from other skills or the filesystem.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it scrapes content from external websites into items.jsonl and then instructs the agent to read and evaluate this data for quality. Maliciously crafted content on a target website could provide instructions that the agent might inadvertently follow.
  • Ingestion points: items.jsonl (File-read of external web content)
  • Boundary markers: None present; the agent processes the raw scraped output
  • Capability inventory: The skill has access to Bash, Read, Write, and Edit tools, allowing for command execution and file system modification
  • Sanitization: No sanitization or validation of the scraped content is performed before the agent processes it
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 26, 2026, 03:33 PM
Security Audit — agent-trust-hub — scrape-create-spider