felo-web-fetch
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFE
Full Analysis
- [DATA_EXFILTRATION]: The skill facilitates the transmission of webpage URLs and optional metadata (such as cookies or user-agent strings) to the official Felo API (
openapi.felo.ai) for content extraction. This behavior is consistent with the stated purpose of the skill and targets the vendor's own infrastructure. - [REMOTE_CODE_EXECUTION]: No remote code execution vectors were identified. The implementation uses standard Node.js fetch operations to interact with a REST API and processes the returned data as text or JSON without using dangerous execution functions like eval().
- [PROMPT_INJECTION]: The skill is designed to ingest external data from URLs, which presents a surface for indirect prompt injection. However, the skill itself does not include instructions to override safety filters or bypass agent constraints. The risk is inherent to the tool's function and is managed by the underlying agent framework.
- [CREDENTIALS_UNSAFE]: The skill uses an environment variable (
FELO_API_KEY) to manage authentication, which is a standard and recommended security practice for handling API credentials in CLI tools.
Audit Metadata