scrape-review-schema
Warn
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Shell commands defined in
SKILL.md, such as thecpoperations, use variables likespec_pathandpage_iddirectly in the command string. If these variables are populated with unsanitized data containing shell metacharacters, an attacker could achieve arbitrary command execution on the user's system.\n- [EXTERNAL_DOWNLOADS]: Theassets/review.htmlfile references typography resources from Google Fonts (fonts.googleapis.com), which is a well-known and trusted external service.\n- [DATA_EXFILTRATION]: Thescripts/feedback-server.pyutility starts a local server to receive feedback. It implements a permissiveAccess-Control-Allow-Origin: *policy. This allows any website visited by the user in the same browser to send POST requests to the local server, potentially poisoning the feedback data or interfering with the agent's instructions through CSRF.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing untrusted workspace data. (1) Ingestion:SKILL.mdreads analysis data and metadata from local files. (2) Boundary markers: No delimiters or ignore-instructions are used for the displayed data. (3) Capability: The agent processes feedback from a local server as authoritative input. (4) Sanitization: Althoughreview.jsusesescapeHtmlfor UI text, the review page displays raw HTML in an iframe, which could execute malicious scripts to influence the feedback loop.
Audit Metadata