web-fetch
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill facilitates the ingestion of untrusted data from external URLs, posing a risk of indirect prompt injection. Evidence: (1) Ingestion points: Content retrieved via WebFetch and curl commands. (2) Boundary markers: Absent; no delimiters or instructions to ignore embedded content are defined. (3) Capability inventory: Subprocess calls (curl, jq, python3) and file system operations (cookie storage, output saving). (4) Sanitization: Absent; fetched content is returned to the agent context without filtering.
- [COMMAND_EXECUTION]: Extensive use of shell commands like curl and jq provides powerful capabilities that could be misused if the agent is manipulated by malicious input.
- [EXTERNAL_DOWNLOADS]: The skill is designed to retrieve data from arbitrary external sources, which is its primary function but inherently involves interacting with untrusted endpoints.
- [REMOTE_CODE_EXECUTION]: Automated scans identified patterns of piping network output to python3. Analysis indicates these are used for parsing HTML and text via static scripts passed in the command line, though the presence of an interpreter in the data pipeline remains a noteworthy capability.
Recommendations
- HIGH: Downloads and executes remote code from: https://example.com, https://example.com/page - DO NOT USE without thorough review
Audit Metadata