brightdata
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest untrusted data from arbitrary URLs and provide it to the agent as markdown, creating a significant indirect injection surface.
- Ingestion points:
WebFetch,curlvia bash, Playwright browser automation, and the Bright Data MCP (SKILL.md). - Boundary markers: No mention of boundary markers or instructions to the agent to ignore embedded commands within the fetched content.
- Capability inventory: The skill possesses extensive capabilities including
bashaccess, automated browser control, and network communication via multiple tiers (SKILL.md). - Sanitization: There is no evidence of content sanitization or escaping before the external data is interpolated into the agent's context.
- Command Execution (HIGH): The skill explicitly uses the
Bash Toolto executecurlwith custom headers for 'Tier 2' scraping. - Evidence: "Tier 2: Customized Curl
- Chrome-like browser headers to bypass basic bot detection" (
SKILL.md). - Risk: If the URL or headers are constructed using unsanitized inputs from the user or previous scraping steps, it provides a direct path for command injection on the host system.
- External Dependencies & Downloads (MEDIUM): The skill relies on external browser automation (Playwright) and a third-party scraping service (Bright Data).
- Evidence: References to "Browser Automation
- Full browser automation using Playwright" and "Bright Data MCP" (
SKILL.md). - Risk: This increases the attack surface through external binary execution and data processing through non-vetted third-party endpoints.
Recommendations
- AI detected serious security threats
Audit Metadata