web-article-extractor
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes arbitrary JavaScript within a browser context using the javascript_tool (javascript_exec action). This is used for article extraction but allows the execution of arbitrary logic on any navigated webpage.
- [COMMAND_EXECUTION]: Skill documentation in SKILL.md recommends disabling browser security features using flags like --disable-web-security and --disable-blink-features=AutomationControlled when configuring the Chrome DevTools MCP server.
- [EXTERNAL_DOWNLOADS]: Multiple scripts (markdown_converter.js, readability_extractor.js.backup, readability_loader.js) download external JavaScript libraries, such as Turndown.js and Readability.js, from cdn.jsdelivr.net at runtime.
- [EXTERNAL_DOWNLOADS]: The save_with_images.js script performs network requests using Node.js http and https modules to download images from arbitrary URLs extracted from webpages.
- [REMOTE_CODE_EXECUTION]: The skill uses eval() to execute JavaScript code in several locations. In readability_loader.js, it reads local script files using fs.readFileSync and executes them via eval(). In readability_extractor.js, the Mozilla Readability library is stored as a template literal and executed using eval().
- [DATA_EXFILTRATION]: The skill accesses the local file system (e.g., ~/.claude/skills/web-article-extractor/scripts/) to read its own script files for execution in the browser. It also writes extracted content and downloaded images to user-specified local directories.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes and interprets content from untrusted external websites.
- Ingestion points: Untrusted data enters the agent context through user-provided URLs navigated via the Chrome DevTools MCP (SKILL.md, README.md).
- Boundary markers: No explicit delimiters or instructions are provided to the model to ignore potential commands embedded within the extracted article content.
- Capability inventory: The skill has significant capabilities, including arbitrary JavaScript execution in the browser (readability_extractor.js), file system read/write access (save_with_images.js, readability_loader.js), and network request capabilities (save_with_images.js).
- Sanitization: While filename sanitization is performed in save_with_images.js, the primary article text extracted by the Readability algorithm is not sanitized for potential malicious instructions before being returned to the agent.
Audit Metadata