Skills
skills/mathews-tom/armory/web-fetch/Gen Agent Trust Hub

web-fetch

Pass

Audited by Gen Agent Trust Hub on Apr 12, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: Uses curl, jq, and python3 to fetch and parse web data.
  • Evidence: Patterns provided in SKILL.md for API calls and HTML parsing.
  • [REMOTE_CODE_EXECUTION]: The skill uses python3 -c to execute locally defined code for data processing. It does not execute code from remote sources.
  • Evidence: The commands curl ... | python3 -c "..." in SKILL.md pipe URL data to a local script's stdin rather than executing the data itself.
  • [CREDENTIALS_UNSAFE]: Adheres to security best practices by recommending environment variables for secrets.
  • Evidence: Instructions state 'Never hardcode tokens or passwords in commands' and demonstrate usage of $API_TOKEN and $PASSWORD in SKILL.md.
  • [PROMPT_INJECTION]: The skill fetches external data which is an ingestion point for untrusted content.
  • Ingestion points: WebFetch tool and curl output in SKILL.md.
  • Boundary markers: Absent.
  • Capability inventory: Shell command execution (curl, jq, python3), file writing (-o, /tmp/response.json, /tmp/cookies.txt), and network operations (curl, WebFetch).
  • Sanitization: None identified.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 12, 2026, 06:25 AM