web-search
Fail
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses bash command templates with placeholders like 'QUERY' and '<current_year>'. If these are replaced with user-controlled input without proper shell escaping, it allows for arbitrary command execution on the host system.\n- [PROMPT_INJECTION]: The skill fetches and processes untrusted web content from search engines, creating an indirect prompt injection surface where malicious websites could influence agent behavior.\n
- Ingestion points: Web search results and page content (SKILL.md)\n
- Boundary markers: None provided to isolate untrusted content from instructions\n
- Capability inventory: Bash, WebSearch, and WebFetch tools (SKILL.md)\n
- Sanitization: No sanitization or validation of external content is specified before passing to the agent.\n- [CREDENTIALS_UNSAFE]: The skill instructions provide methods to retrieve sensitive API keys (SerpAPI) from local configuration and pass them in HTTP requests to external services.\n- [REMOTE_CODE_EXECUTION]: A pattern was identified involving the download of content via curl followed by string processing via grep. While the specific example extracts URLs, the architecture of piping web-fetched data to shell utilities is flagged as a high-risk pattern.
Recommendations
- HIGH: Downloads and executes remote code from: https://html.duckduckgo.com/html/?q=latest+AI+news+ - DO NOT USE without thorough review
Audit Metadata