extract
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted data from external websites (HTML, text, metadata) and processing it through an LLM to 'infer' brand personality, design principles, and page types. This tainted data is then stored in project files which are consumed by downstream skills.
- Ingestion points: SKILL.md, reference/ia-extraction.md, and reference/playwright-recipe.md describe crawling external URLs, sitemaps, and robots.txt.
- Boundary markers: Absent. The instructions do not define clear boundaries or 'ignore' directives for the LLM when processing ingested web content.
- Capability inventory: The skill writes numerous JSON, Markdown, and HTML files to the 'stardust/current/' directory. It uses Playwright to render pages and interact with DOM elements.
- Sanitization: Absent. Content like innerText, landmark structure, and alt text is captured and stored without explicit sanitization mentioned in the procedures.
- [COMMAND_EXECUTION]: The skill uses shell commands via 'npx playwright' to perform browser-based extraction. While necessary for its functionality, it represents a powerful capability that could be misused if execution parameters were compromised.
- [EXTERNAL_DOWNLOADS]: The skill performs automated network requests to fetch sitemaps, robots.txt, and various media assets (images, SVGs, CSS backgrounds) from the user-provided target origin.
Audit Metadata