web-fetch
Pass
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill launches a local Google Chrome or Chromium binary via
subprocess.Popeninscripts/web_fetch.py. This is the primary mechanism for page rendering. The implementation uses list-based command construction withoutshell=True, which is a secure practice that prevents shell injection attacks. - [DATA_EXFILTRATION]: The skill performs network operations to fetch content from external URLs. This is the intended purpose of the tool. It also communicates over a local loopback connection (
127.0.0.1) to control the browser instance via a custom WebSocket implementation. - [PROMPT_INJECTION]: The skill is subject to indirect prompt injection because it retrieves and processes untrusted HTML content from the web.
- Ingestion points: Data enters the system via the
fetch_pagefunction inscripts/web_fetch.py. - Boundary markers: The output is clearly delimited by format (JSON or text separators) as documented in
SKILL.md. - Capability inventory: The script is focused on data retrieval and does not possess capabilities for file modification or remote code execution on the host.
- Sanitization: Content is cleaned by removing
<script>,<style>, and comment tags using regular expressions or thetrafilaturalibrary if available.
Audit Metadata