anysite-competitor-analyzer
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of local shell commands to invoke Python scripts (scripts/analyze_competitor.py) for initializing templates, processing data, and generating final reports in Markdown format.\n- [REMOTE_CODE_EXECUTION]: The analysis workflow includes a Python one-liner that utilizes the exec() function to dynamically import the format_markdown_report function and process piped JSON data. While used here for internal formatting, exec() is a sensitive pattern that can be exploited if inputs are not strictly controlled.\n- [PROMPT_INJECTION]: The skill possesses a high exposure to indirect prompt injection because its core functionality depends on ingesting large volumes of untrusted data from external sources.\n
- Ingestion points: Data is scraped from competitor websites, LinkedIn profiles, Twitter posts, Reddit threads, and Glassdoor reviews (SKILL.md Phases 1 through 5).\n
- Boundary markers: The instructions do not define specific delimiters or security headers to separate the agent's internal logic from the external data being analyzed.\n
- Capability inventory: The skill can execute local commands (Python scripts) and has the ability to generate download links for collected datasets via the export_data tool.\n
- Sanitization: The provided documentation does not detail any sanitization, filtering, or validation processes for the data ingested before it is interpreted by the agent or the reporting scripts.
Audit Metadata