content-extract
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by fetching content from arbitrary URLs and returning the resulting Markdown directly to the agent's context. \n
- Ingestion points: URLs ingested by the content_extract.py script and the web_fetch tool. \n
- Boundary markers: The extracted content is returned in a raw JSON field without delimiters or instructions for the agent to treat the content as untrusted. \n
- Capability inventory: The skill and agent have the capability to execute shell commands and access local files. \n
- Sanitization: There is no evidence of sanitization or safety filtering on the fetched content. \n- [COMMAND_EXECUTION]: The wrapper script scripts/content_extract.py executes a secondary Python script using subprocess.run. The location of the executable script is resolved at runtime through environment variables or relative file system searches. \n- [COMMAND_EXECUTION]: The skill's output contract explicitly shares internal file system paths, including the local markdown storage path and output directories, with the AI agent, providing visibility into the local workspace structure.
Audit Metadata