competitive-ads-extractor
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted data from external sources (Facebook and LinkedIn Ad Libraries), which is the primary vector for indirect prompt injection.
- Ingestion points: Automated scraping of competitor ad copy and metadata from public ad libraries as described in SKILL.md.
- Boundary markers: The skill lacks any defined boundary markers or instructions to treat scraped content as data rather than instructions.
- Capability inventory: The skill possesses file system write capabilities (writing to
~/competitor-ads/) and performs network operations, allowing an injection to potentially modify local files or exfiltrate data. - Sanitization: No sanitization or escaping of the scraped text is mentioned before it is passed to the analysis phase.
- Data Exposure (MEDIUM): The skill writes screenshots and reports to the home directory. If an attacker can influence the file paths or content via injected ad copy, they could potentially overwrite sensitive user files or configurations.
Recommendations
- AI detected serious security threats
Audit Metadata