web-article-extractor
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches the
turndownandreadabilitylibraries from the well-known JSDelivr CDN at runtime inscripts/markdown_converter.jsandscripts/readability_loader.js. - [REMOTE_CODE_EXECUTION]: Dynamically loads and executes JavaScript from the JSDelivr CDN into the browser context using script tag injection.
- [REMOTE_CODE_EXECUTION]: Employs the
eval()function inscripts/readability_extractor.jsandscripts/readability_extractor_local.jsto execute the Readability library code, which is stored as an inlined string literal. - [COMMAND_EXECUTION]: Documentation in
SKILL.mdsuggests shell commands that configure thechrome-devtoolsMCP server with flags that weaken browser security, such as--disable-web-securityand--disable-features=IsolateOrigins,site-per-process. - [DATA_EXFILTRATION]:
scripts/save_with_images.jsutilizes Node.jshttpandhttpsmodules to download images from arbitrary external URLs to the local filesystem, which is part of its core functionality. - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it processes untrusted data from external websites.
- Ingestion points: Extracts text, titles, and metadata from arbitrary URLs provided at runtime.
- Boundary markers: No protective delimiters or instructions to ignore embedded commands are added to the extracted content.
- Capability inventory: The skill can execute arbitrary JavaScript in the browser, write files locally, and initiate network requests.
- Sanitization: While it removes HTML formatting tags (like
<script>), it does not sanitize the resulting text for malicious natural language instructions aimed at the agent.
Audit Metadata