scrape-review-schema

Warn

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Shell commands defined in SKILL.md, such as the cp operations, use variables like spec_path and page_id directly in the command string. If these variables are populated with unsanitized data containing shell metacharacters, an attacker could achieve arbitrary command execution on the user's system.\n- [EXTERNAL_DOWNLOADS]: The assets/review.html file references typography resources from Google Fonts (fonts.googleapis.com), which is a well-known and trusted external service.\n- [DATA_EXFILTRATION]: The scripts/feedback-server.py utility starts a local server to receive feedback. It implements a permissive Access-Control-Allow-Origin: * policy. This allows any website visited by the user in the same browser to send POST requests to the local server, potentially poisoning the feedback data or interfering with the agent's instructions through CSRF.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing untrusted workspace data. (1) Ingestion: SKILL.md reads analysis data and metadata from local files. (2) Boundary markers: No delimiters or ignore-instructions are used for the displayed data. (3) Capability: The agent processes feedback from a local server as authoritative input. (4) Sanitization: Although review.js uses escapeHtml for UI text, the review page displays raw HTML in an iframe, which could execute malicious scripts to influence the feedback loop.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 26, 2026, 03:34 PM
Security Audit — agent-trust-hub — scrape-review-schema