article-extractor
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill uses
BashandWritetools to execute complex shell scripts. It directly interpolates a user-providedARTICLE_URLinto shell commands (reader "$ARTICLE_URL") without shell-escaping, which is a classic command injection vulnerability. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill explicitly instructs the agent to install external packages (
npm install -g reader-cli,pip3 install trafilatura) if they are missing. This introduces risks of supply chain attacks or environment contamination. - [PROMPT_INJECTION] (HIGH): As an 'Article Extractor', the skill's primary function is to ingest untrusted content from the web.
- Ingestion points: Data enters via
curl,reader, ortrafilaturafrom an external URL. - Boundary markers: None. The extracted text is piped directly into files and shown to the user/agent without delimiters.
- Capability inventory: The skill has access to
Bash(subprocess execution) andWrite(file system modification). - Sanitization: No sanitization is performed on the extracted content. If an article contains malicious instructions (Indirect Prompt Injection), the agent might follow them in subsequent steps, especially since the skill suggests using the output for further tasks like 'Ship-Learn-Next' plans.
- [DATA_EXFILTRATION] (LOW): While the skill uses
curlto fetch data, it does not show patterns of sending local sensitive files externally. However, theBashcapability makes exfiltration trivial if an attacker-controlled URL is processed.
Recommendations
- AI detected serious security threats
Audit Metadata