res-price-compare
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
uv run --with openpyxl python3 -c "..."pattern to execute a Python script for generating Excel (XLSX) reports. This script is provided as a string template within thereferences/export-formats.mdfile. - [EXTERNAL_DOWNLOADS]: The skill directs the user to install
scrapling, an external third-party package, using the commanduv tool install 'scrapling[all]'. This tool is used as a fallback for sites that block standard web fetching. - [COMMAND_EXECUTION]: The skill executes external CLI commands via the
scraplingtool, including advanced parameters like--solve-cloudflareand--network-idlefor browser automation and anti-bot bypass. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes data from approximately 25-40 external e-commerce websites and incorporates this data into final reports and exports.
- Ingestion points: Data is fetched via
WebSearch,WebFetch, and thescraplingtool from numerous untrusted shop pages and price comparators. - Boundary markers: The prompts used for data extraction (e.g., "Podaj: 1) dokładną cenę brutto...") do not include instructions to ignore potentially malicious embedded content.
- Capability inventory: The skill has access to network tools, file writing (
Writetool), and dynamic code execution (uv run). - Sanitization: There is no explicit mechanism described to sanitize or validate extracted strings before they are rendered in HTML or written to Excel files.
Audit Metadata