url-content-loading
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill uses
uvx kabigonto download and run a package from an external registry. Thekabigonpackage is not from a source within the trusted scope, posing a risk of supply chain attack or execution of unvetted code. - [COMMAND_EXECUTION] (HIGH): The skill instructions direct the agent to execute shell commands (
uvx kabigon ...) which involve running external code on the host system. This capability can be abused if the agent is manipulated into executing different flags or commands. - [INDIRECT PROMPT INJECTION] (HIGH): The core purpose of the skill is to ingest data from untrusted external sources like social media, GitHub, and general web pages.
- Ingestion points: Multiple loaders (Playwright, YouTube, Twitter, Reddit, GitHub) fetch content from attacker-controlled or public third-party URLs.
- Boundary markers: The skill lacks any instruction to delimit the loaded content or warn the agent to ignore instructions embedded within the fetched text.
- Capability inventory: The skill enables the agent to process external data which, if passed to other tools (like file-write or code-exec), could lead to a full system compromise via instructions hidden in a YouTube transcript or a GitHub README.
- Sanitization: There is no evidence of sanitization or filtering to remove potential prompt injection payloads from the retrieved URL content.
Recommendations
- AI detected serious security threats
Audit Metadata