extract
Warn
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from arbitrary websites to determine scraping logic and generate scripts. \n
- Ingestion points: Website content is retrieved using the vendor's
actionbook browser snapshotandactionbook browser textcommands. \n - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present when processing the external site data. \n
- Capability inventory: The skill can write files to the local file system and execute shell commands via the
noderuntime. \n - Sanitization: There is no documented process for sanitizing or escaping the content scraped from the web before it is used in code generation. \n- [COMMAND_EXECUTION]: The skill follows a pattern of generating a JavaScript file (
.cjs) and immediately executing it using thenodecommand. While this is the primary function of the tool, executing AI-generated code that incorporates untrusted external input carries inherent security risks.
Audit Metadata