directory-submitter
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes browser automation capabilities (Playwright and Chrome Extension) to interact with web pages. It uses commands such as
browser_navigate,browser_type,browser_click, and Computer Use tools (left_click, type) to fill and submit forms on external websites. - [EXTERNAL_DOWNLOADS]: The agent is instructed to navigate to and extract data from over 190 external directory URLs listed in
directories/DIRECTORIES.md. This includes navigation to various third-party domains, Google Forms, and Tally forms. It also visits arbitrary product URLs provided by the user in theworkflows/setup-product.mdworkflow. - [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection (Category 8). \n
- Ingestion points: The
workflows/setup-product.mdfile instructs the agent to visit a user-provided URL and read the full page content to extract product information. \n - Boundary markers: There are no explicit instructions or delimiters defined to prevent the agent from following instructions that might be embedded within the content of the external websites it visits. \n
- Capability inventory: The agent possesses high-privilege capabilities including browser navigation, form interaction, file uploads, and writing local markdown files to the
profiles/andtracking/directories. \n - Sanitization: No sanitization or filtering logic is described for the content retrieved from external web pages before it is used to populate product profiles or influence agent behavior. Note: The impact is reduced by the requirement for user confirmation before any submission occurs.
Audit Metadata