scrape-create-spider
Fail
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill takes user-provided arguments (specifically
project_dir) and inserts them directly into a shell command (cd {project_dir} && uv run scrapy...). This lacks sanitization and could allow an attacker to execute arbitrary commands by including shell metacharacters in the argument string. - [REMOTE_CODE_EXECUTION]: The skill utilizes a dynamic code generation pattern where it writes a Python Scrapy spider to a file and then immediately executes that file using the
uv runcommand. This pattern can be exploited if the generation logic is influenced by malicious input. - [DATA_EXFILTRATION]: The instructions in
SKILL.mddirect the agent to read files from${CLAUDE_SKILL_DIR}/../scrape/references. Using..for path traversal allows the skill to access data outside its own directory, which could be used to harvest information from other skills or the filesystem. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it scrapes content from external websites into
items.jsonland then instructs the agent to read and evaluate this data for quality. Maliciously crafted content on a target website could provide instructions that the agent might inadvertently follow. - Ingestion points:
items.jsonl(File-read of external web content) - Boundary markers: None present; the agent processes the raw scraped output
- Capability inventory: The skill has access to
Bash,Read,Write, andEdittools, allowing for command execution and file system modification - Sanitization: No sanitization or validation of the scraped content is performed before the agent processes it
Recommendations
- AI detected serious security threats
Audit Metadata