article-extractor
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill instructions advise the installation of third-party packages from external registries (NPM and PyPI), specifically
@mozilla/readability-cli,reader-cli, andtrafilatura. These sources are not within the trusted repository scope, introducing a supply chain risk. - COMMAND_EXECUTION (MEDIUM): Several workflows execute shell commands that incorporate the
$ARTICLE_URLvariable directly. This presents a command injection surface if the URL input is not strictly sanitized by the agent runtime. - DYNAMIC_EXECUTION (MEDIUM): The skill uses
python3 -cto execute embedded Python code for parsing logic. While the code is defined within the skill, the execution of dynamically generated scripts is a risk factor when combined with untrusted input data. - PRIVILEGE_ESCALATION (MEDIUM): The skill recommends global NPM installations (
npm install -g), which often lead users to execute commands withsudoprivileges. - PROMPT_INJECTION (LOW): As a Category 8 (Indirect Prompt Injection) finding, the skill processes untrusted content from the web.
- Ingestion points: Data is pulled from the
ARTICLE_URL(SKILL.md). - Boundary markers: None present to distinguish article content from agent instructions.
- Capability inventory: The skill utilizes
BashandWritetools. - Sanitization: While filenames are cleaned for filesystem safety, the content itself is not sanitized before being returned to the agent context.
Audit Metadata