scrape-to-crm
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes data from external LinkedIn profiles and company pages, which are attacker-controllable sources.
- Ingestion points: Scraped data is retrieved from various LinkedIn actors via the Apify MCP tools as described in
SKILL.md. - Boundary markers: The skill does not define clear delimiters or use 'ignore embedded instructions' prompts when handling the scraped content.
- Capability inventory: The skill utilizes
curlcommands to interact with the Attio API and can potentially build n8n workflows. - Sanitization: While the documentation suggests using
JSON.stringify()to prevent breakage, the provided code examples use direct string interpolation (e.g.,<full_name>) within shell commands, which may allow malicious profile content to influence agent logic. - [COMMAND_EXECUTION]: The skill executes
curlcommands to send data to the Attio CRM. While targeting a well-known service (api.attio.com), the inclusion of untrusted data from LinkedIn scrapes into these shell commands creates a risk of command injection if the agent does not properly escape the variables before execution.
Audit Metadata