competitive-ads-extractor
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONNO_CODE
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's primary function is to ingest and analyze untrusted data from external websites (Facebook, LinkedIn Ad Libraries). This creates a significant attack surface where an attacker can embed malicious instructions in ad copy to override the agent's behavior.
- Ingestion points: Scrapes content from Facebook Ad Library, LinkedIn, and other external web platforms (defined in SKILL.md).
- Boundary markers: Absent. The instructions do not specify any delimiters or safety warnings to treat the scraped ad content as untrusted data.
- Capability inventory: The skill possesses file-writing capabilities (saving to
~/competitor-ads/) and network access (scraping tools). If a prompt injection occurs, these capabilities can be used to read sensitive local files and send them to an external server. - Sanitization: Absent. There is no mention of sanitizing, filtering, or validating the scraped text before it is processed by the AI.
- Data Exfiltration (MEDIUM): The skill requires network access to function and writes data to the local filesystem. In the event of a successful prompt injection from a scraped ad, an attacker could command the agent to exfiltrate sensitive user data to a remote URL.
- No Code (INFO): No executable scripts (Python, JavaScript, etc.) were provided. The analysis is based on the behavioral descriptions and instructions contained in the markdown file.
Recommendations
- AI detected serious security threats
Audit Metadata