file-downloader
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The
scripts/download.pyscript usesurllib.request.urlopenwithout validating the URL protocol. While documentation suggests support for HTTP/HTTPS, the implementation allows thefile://URI scheme, which can be used to read sensitive local files and write them to the workspace, leading to unauthorized data exposure.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It retrieves data from external URLs which, if later processed by the agent, could contain malicious instructions designed to hijack the agent's behavior.\n - Ingestion points:
scripts/download.py(line 46) reads data from a URL provided as a command-line argument.\n - Boundary markers: No delimiters or instructions are used to distinguish downloaded content from system instructions.\n
- Capability inventory: The skill can perform file writes via
open(output_path, 'wb')(line 74) and network/local reads viaurllib.request.urlopen(line 58).\n - Sanitization: There is no validation or sanitization of the downloaded content's nature or safety.\n- [EXTERNAL_DOWNLOADS]: The skill is designed to download files from any user-provided URL. Without a whitelist or restriction to trusted domains, it can be used to pull potentially malicious payloads or scripts into the local environment, bypass network policies, or facilitate phishing.
Audit Metadata