data-collector
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATIONNO_CODECREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill is designed to download content from any user-provided URL. This facilitates the ingestion of untrusted data directly into the agent's working environment.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection.
- Ingestion points: Data is fetched from untrusted external URLs (specified in
SKILL.md). - Boundary markers: None. Content is written directly to the filesystem without isolation or 'ignore' instructions.
- Capability inventory: File system write access (
outargument) and unrestricted network access. - Sanitization: No sanitization logic is described or present in the metadata to filter malicious instructions within fetched data.
- [DATA_EXFILTRATION] (HIGH): Given that the skill is intended to send data to URLs and the documentation mentions handling 'Confidential' and 'Personal' knowledge, there is a severe risk of the agent being coerced into exfiltrating local secrets to an attacker-controlled endpoint.
- [NO_CODE] (MEDIUM): The critical logic file
scripts/collect.cjsand the referencedcodebase-mapper/scripts/map.cjsare missing, preventing a full audit of how parameters likeurlandoutare sanitized before execution. - [CREDENTIALS_UNSAFE] (MEDIUM): The
SKILL.mdfile explicitly references a 'Knowledge Protocol' for managing confidential/personal secrets, which significantly increases the impact of any prompt injection or exfiltration vulnerability.
Recommendations
- AI detected serious security threats
Audit Metadata