article-extractor
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The bash scripts provided in the skill use shell variable interpolation for the
ARTICLE_URLandTITLEvariables (e.g.,reader "$ARTICLE_URL",curl -s "$ARTICLE_URL"). While double-quoted, these patterns remain susceptible to argument injection or command substitution if the agent does not strictly validate the URL format or if the underlying tools handle certain characters unsafely. - [EXTERNAL_DOWNLOADS]: The skill instructions prompt the agent to install external software globally using
npm install -g @mozilla/readability-cliandpip3 install trafilatura. While these are well-known packages, runtime installation of external dependencies introduces supply chain risks. - [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection (Category 8). It ingests untrusted data from arbitrary web URLs and processes it without using boundary markers or sanitization instructions.
- Ingestion points: Content is fetched via
curl,reader, ortrafilaturafrom user-provided URLs inSKILL.md. - Boundary markers: The skill lacks any delimiters or system-level instructions to ignore embedded commands within the extracted article text.
- Capability inventory: The skill has access to
BashandWritetools, allowing it to execute system commands and modify the filesystem. - Sanitization: There is no evidence of sanitization or filtering of the extracted text before it is returned to the agent's context or displayed to the user.
Audit Metadata