document-hunter
Warn
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill uses
curlto download the RECAP browser extension fromgithub.com/freelawproject/recap-chrome. Although this is a legitimate legal-tech organization, it is not on the pre-defined list of trusted sources, and downloading binary assets (a zip file containing an extension) for browser injection carries inherent security risks. - REMOTE_CODE_EXECUTION (MEDIUM): The workflow involves generating and executing a Python script (
download-documents.py) at runtime. This script is constructed using templates that interpolate external URLs and data retrieved from web searches, which could be manipulated by malicious content on the target websites. - COMMAND_EXECUTION (LOW): The skill executes multiple bash commands to install Python packages, set up Playwright browser drivers, and manage local file directories. These operations are necessary for the skill's functionality but should be performed with least privilege.
- PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection (Category 8). ● Ingestion points: The skill ingests untrusted text from DocumentCloud, Scribd, and various court websites (titles, descriptions, and HTML content). ● Boundary markers: No explicit delimiters or instructions are used to separate untrusted web data from the agent's core logic. ● Capability inventory: The skill has significant capabilities including file system access, network downloads, and shell command execution. ● Sanitization: There is no evidence of sanitization for the data extracted from the web before it is incorporated into reports or manifest files.
Audit Metadata