web-search
Fail
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The script
scripts/web_search.pyprints the full request headers to standard output within theve_request_with_apikeyfunction. This includes theAuthorizationheader containing the plaintextWEB_SEARCH_API_KEY, leading to sensitive credential exposure in the agent's execution logs. - [CREDENTIALS_UNSAFE]: The instructions in
SKILL.mddirect the agent to ask users for sensitive credentials (WEB_SEARCH_API_KEY,VOLCENGINE_ACCESS_KEY,VOLCENGINE_SECRET_KEY) and write them to an environment file within the local workspace, which may be accessible to other processes or subsequent agent tasks. - [COMMAND_EXECUTION]: The skill operates by executing a local Python script (
scripts/web_search.py) through a shell command, passing user-provided queries as arguments. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests unsanitized summaries from external websites and presents them to the agent for response generation.
- Ingestion points: Search result summaries from the
Result.WebResultsAPI field are extracted inscripts/web_search.py. - Boundary markers: No delimiters or 'ignore' instructions are used when passing the web content to the agent.
- Capability inventory: The agent has the capability to execute local scripts and write to the filesystem.
- Sanitization: No filtering or sanitization is performed on the external web content beyond basic whitespace stripping.
Recommendations
- AI detected serious security threats
Audit Metadata