competitor-content-tracker
Warn
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands using
python3to run local scripts (scrape_blogs.py,scrape_linkedin_posts.py,search_twitter.py). These commands interpolate arguments such as--urls,--profiles, and--querydirectly from user-provided configuration values. This pattern is vulnerable to command injection if the input values contain shell metacharacters. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes content scraped from external blogs, LinkedIn profiles, and Twitter/X handles which are under competitor (third-party) control.
- Ingestion points: Raw data fetched by
blog-scraper,linkedin-profile-post-scraper, andtwitter-scraperis fed into the synthesis phase. - Boundary markers: None; the instructions in Phase 4 and 5 lack clear delimiters or instructions to ignore embedded commands within the scraped content.
- Capability inventory: The skill has the capability to execute shell commands (
python3) and write files to the local filesystem (clients/directory). - Sanitization: There is no evidence of sanitization, filtering, or validation performed on the scraped content before it is processed by the agent.
- [COMMAND_EXECUTION]: The documentation provides a persistence mechanism by instructing the user or agent to configure a
cronjob for recurring execution of the tracking skill.
Audit Metadata