ljg-fetch
Fail
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs and executes shell commands (
curl,markitdown,rm) and Python scripts using unvalidated placeholders{URL}and{file_path}. This creates a significant risk of command injection if a user provides a crafted string (e.g., using backticks or semicolons) that the agent executes directly in a shell environment. - [DATA_EXFILTRATION]: The 'Local File Mode' allows the skill to read arbitrary file paths provided by the user. There are no restrictions to prevent the skill from reading sensitive files (e.g.,
.env,.bash_history, or configuration files) and 'exposing' them by converting them to markdown and saving them to the~/Downloads/directory. - [EXTERNAL_DOWNLOADS]: The skill uses
curl,requests, andPlaywrightto fetch content from arbitrary, user-defined URLs. Interacting with untrusted remote content can expose the agent to various web-based threats. - [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted external data (web page content). If a fetched page contains hidden malicious instructions, the agent might inadvertently follow them during the markdown conversion or subsequent processing steps.
- Ingestion points: URLs provided by users and fetched via WebFetch, curl, requests, or Playwright.
- Boundary markers: The instructions include a prompt for Strategy A to 'Extract the complete main content', but no explicit security delimiters or 'ignore embedded instructions' warnings are used for other strategies.
- Capability inventory: File system write access (
~/Downloads), shell command execution (curl,markitdown,rm), and network requests. - Sanitization: No evidence of sanitization or validation of the fetched HTML/markdown content before it is saved or reported.
Recommendations
- AI detected serious security threats
Audit Metadata