site-discovery
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides templates for executing shell commands to invoke the MCP client script located at '.claude/skills/mcp-client/scripts/mcp_client.py'. These commands involve passing complex JavaScript code as string arguments to the 'browser_run_code' function, which poses an injection risk if user-controlled data (such as URLs or selectors) is interpolated without robust escaping.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it retrieves and processes content from arbitrary, untrusted websites.\n
- Ingestion points: Data is ingested from external websites via 'page.goto()' and subsequent extraction logic for links, forms, and accessibility snapshots in 'SKILL.md'.\n
- Boundary markers: The skill does not implement delimiters or safety instructions to distinguish untrusted web content from agent directives.\n
- Capability inventory: The skill's execution environment allows for subprocess calls and arbitrary JavaScript execution within a browser session.\n
- Sanitization: Website data is ingested and processed in its raw form without sanitization or validation.
Audit Metadata