url_reader
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill fetches untrusted data from the web and feeds it directly into the agent's context, creating an attack surface for embedded instructions to take control of the agent. \n
- Ingestion points:
scripts/fetch_url.pyuses therequestslibrary to fetch content from any URL provided by the user or found in previous steps. \n - Boundary markers: None. The fetched content is printed to the agent's context without any delimiters or 'ignore' instructions, making it indistinguishable from system instructions. \n
- Capability inventory: While the script itself only reads data, the agent's subsequent 'analysis' of this data can trigger other tools or actions based on malicious text found on the page. \n
- Sanitization: The script removes HTML tags using BeautifulSoup, but this does not protect against natural language prompt injection hidden in the text. \n- [Data Exposure] (MEDIUM): The script is vulnerable to SSRF because it performs GET requests to arbitrary URLs without domain or IP validation. \n
- Evidence: The
fetch_textfunction inscripts/fetch_url.pyaccepts any URL string and executesrequests.get(url), which could be used to probe internal network resources or cloud metadata services (e.g., 169.254.169.254).
Recommendations
- AI detected serious security threats
Audit Metadata