defuddle
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill performs an automated global installation of the
defuddleandjsdompackages usingnpm install -g. Whilejsdomis a well-known library,defuddleis an external dependency from a source not explicitly listed as a trusted vendor. - [COMMAND_EXECUTION]: The skill relies on shell command execution for both environment preparation (
command -v,npm install) and its core functionality (defuddle parse). - [REMOTE_CODE_EXECUTION]: The command
defuddle parse "<url>"interpolates a user-controlled URL directly into a shell execution string. This poses a risk of command injection if the agent does not strictly validate or escape the URL for shell metacharacters such as backticks or semicolons. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes content fetched from external websites.
- Ingestion points: Content enters the agent's context through external URLs processed by the
defuddle parsecommand. - Boundary markers: The skill instructions do not specify any boundary markers or delimiters to help the agent distinguish between the tool's output and potentially malicious embedded instructions.
- Capability inventory: The skill has capabilities to write files to the local filesystem and execute shell commands, which could be exploited by an indirect injection attack.
- Sanitization: No specific sanitization or filtering of the extracted content is mentioned before presenting the data to the user or saving it to a file.
Audit Metadata