Skills
skills/daqi/daqi-skills/html-parser-rule/Gen Agent Trust Hub

html-parser-rule

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It fetches external content from arbitrary URLs and instructs the agent to analyze the structure.
  • Ingestion points: External HTML content fetched via curl into /tmp/source.html and read using head and fs.readFileSync.
  • Boundary markers: None. There are no delimiters or instructions to ignore embedded malicious prompts within the HTML.
  • Capability inventory: Execution of shell commands (curl, node, pnpm, grep), file system writes (/tmp/source.html), and project-wide script execution (pnpm run collect).
  • Sanitization: None. The content is processed raw by the agent and Node.js scripts.
  • [COMMAND_EXECUTION] (HIGH): The skill uses curl to fetch user-provided URLs. This could be exploited for Server-Side Request Forgery (SSRF) to access internal metadata services or local network resources. It also executes pnpm run collect, which could trigger broader system effects depending on the project configuration.
  • [REMOTE_CODE_EXECUTION] (HIGH): Uses node -e to execute JavaScript code that processes content from the external /tmp/source.html. While the code template is fixed, an attacker controlling the HTML could potentially exploit regex vulnerabilities (ReDoS) or influence the agent's logic generation in Step 7.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 09:12 AM