google-tagmanager
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): GTM is designed to ingest data from untrusted sources like the browser's data layer, DOM, and URL parameters, and provides capabilities to execute Custom HTML tags and JavaScript. This combination creates a significant vulnerability surface where malicious instructions in website content could influence the agent's behavior. Evidence: Ingestion points include window.dataLayer and URL variables as described in SKILL.md and references/setup.md; execution capabilities are detailed in references/tags.md.
- Unverifiable Dependencies & Remote Code Execution (LOW): The container installation snippet in references/setup.md downloads and executes a script from googletagmanager.com. While this is remote code execution, it is from a trusted Google domain. Evidence: Installation script in references/setup.md targeting googletagmanager.com.
- Dynamic Execution (MEDIUM): The skill documents the use of Custom HTML tags and Custom JavaScript variables for runtime code execution. It also details a technique using the text/gtmscript type to bypass GTM's built-in syntax validation. Evidence: references/tags.md and references/best-practices.md.
Recommendations
- AI detected serious security threats
Audit Metadata