article-extractor
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's core purpose is to ingest untrusted data from external URLs.
- Ingestion points: Processes any user-provided or attacker-controlled URL (SKILL.md).
- Boundary markers: No explicit instruction delimiters or 'ignore embedded instructions' warnings are defined for the extracted content.
- Capability inventory: The skill allows file-writing (saving to
~/reading/) and summary generation, which involves the agent reasoning over the untrusted data. - Sanitization: While filename sanitization is mentioned, there is no evidence of content sanitization to prevent hidden instructions in HTML/markdown from influencing the agent's next steps.
- [Command Execution] (MEDIUM): The 'Fallback' method uses
curlto fetch content. If the agent passes a URL directly to a shell-based curl command without rigorous escaping, it could lead to command injection or Server-Side Request Forgery (SSRF) against local services (e.g.,localhost:8080). - [External Downloads] (MEDIUM): The skill prompts users to install specific NPM and PIP packages (
trafilatura,@nicolo-ribaudo/readability-cli). While these are known tools, the skill itself comes from an untrusted source (michalparkola), making the dependency chain unverifiable from a security standpoint. - [Data Exposure] (LOW): The skill writes extracted content to the filesystem. If not restricted to specific directories, an attacker could potentially use path traversal or
file://URIs to trick the agent into 'extracting' (and thus exposing) sensitive local files like~/.ssh/id_rsa.
Recommendations
- AI detected serious security threats
Audit Metadata