crawl4ai
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection because it is designed to ingest and process content from arbitrary third-party websites.\n
- Ingestion points: Untrusted data enters the agent context via
AsyncWebCrawler.arunandarun_manyinscripts/basic_crawler.pyandscripts/batch_crawler.py.\n - Boundary markers: Absent. The skill does not use delimiters or instructions to prevent the agent from obeying commands embedded within the fetched web content.\n
- Capability inventory: The skill has the capability to write files locally (
open().write()in both crawler scripts) and execute system commands (subprocess.run()intests/run_all_tests.py).\n - Sanitization: Basic filename sanitization is present in
scripts/batch_crawler.py, but the crawled content itself is not sanitized before being processed by the agent.\n- DATA_EXFILTRATION (HIGH): The skill can be tricked into reading sensitive local files through its URL loading mechanism.\n - Evidence: The
load_urlsfunction inscripts/batch_crawler.pyusesPath(source).exists()andwith open(source)to read input. It does not validate that the source is a safe file or a simple URL list.\n - Risk: An attacker could provide a sensitive path (e.g.,
/etc/passwdor~/.ssh/id_rsa) as the input 'source', causing the skill to read and potentially process or expose the contents of that file.\n- COMMAND_EXECUTION (MEDIUM): The skill includes a test runner that executes local Python files using the system shell.\n - Evidence:
tests/run_all_tests.pyusessubprocess.run([sys.executable, test_file])to run scripts within thetests/directory.
Recommendations
- AI detected serious security threats
Audit Metadata