audit-website
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill depends on a CLI binary (squirrel) downloaded from a non-whitelisted third-party domain (squirrelscan.com).
- [COMMAND_EXECUTION]: The agent is authorized to execute the squirrel binary via the Bash tool. Although restricted by the command prefix, the tool performs extensive network operations and local database management that could be exploited.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it directs the agent to crawl external websites and apply code 'fixes' based on those findings. Maliciously crafted website content could influence the agent to perform harmful or unauthorized edits to local project files. Ingestion points: External website content processed via the squirrel audit command. Boundary markers: Findings are structured in a compact XML-based LLM format, but the 'Fix' instructions are derived from remote data. Capability inventory: The agent has Edit permissions for local files and Bash access for the squirrel CLI. Sanitization: No sanitization or validation of the suggested fixes is mentioned or implemented.
- [DATA_EXFILTRATION]: The audit process explicitly looks for 'Leaked secrets' (API keys, tokens, etc.) on target websites. These credentials are included in the reports processed by the agent, creating a risk that sensitive production data could be exposed in the LLM's context or history logs.
Audit Metadata