article-extractor
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill interpolates the
ARTICLE_URLvariable directly into bash command strings (e.g.,reader "$ARTICLE_URL"). This creates a shell injection vulnerability if a URL contains command separators like semicolons or pipes.\n- EXTERNAL_DOWNLOADS (MEDIUM): The instructions suggest installing global packages from NPM and PyPI (npm install -g,pip3 install) at runtime. These dependencies are not version-pinned and originate from public registries, posing a supply chain risk.\n- PROMPT_INJECTION (LOW): Risk of Indirect Prompt Injection (Category 8) from processed web content. The agent reads and displays a preview of untrusted data from external URLs.\n - Ingestion points: Web content fetched from the user-provided URL in the
Complete Workflowsection.\n - Boundary markers: No delimiters or warnings are used when presenting extracted content to the agent.\n
- Capability inventory: The agent has access to powerful tools like
BashandWrite.\n - Sanitization: No sanitization of the article content is performed; only the output filename is cleaned.
Audit Metadata