Skills
skills/openclaw/skills/agentscout/Gen Agent Trust Hub

agentscout

Warn

Audited by Gen Agent Trust Hub on Mar 27, 2026

Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from external GitHub repositories and interpolates it into LLM prompts without sanitization or protective boundaries.
  • Ingestion points: The ProjectAnalyzer in src/analyze/project_analyzer.py fetches README files (line 76) and key source files (line 84) from external repositories. The ProjectScorer in src/discover/scorer.py reads README excerpts (line 120).
  • Boundary markers: Absent. The prompt templates in src/analyze/project_analyzer.py (lines 14-48) and src/discover/scorer.py (lines 11-44) use basic Markdown headers but lack instructions to ignore embedded malicious directives.
  • Capability inventory: The skill can read remote files via the GitHub API, generate and save files locally, and utilize an LLM for content analysis.
  • Sanitization: Absent. The skill does not escape or filter content fetched from external repositories before interpolation into prompts.
  • [COMMAND_EXECUTION]: The skill executes a rendering pipeline that processes untrusted project metadata in an unsafe manner.
  • Evidence: In src/visual/composer.py (line 17), the Jinja2 environment is initialized with autoescape=False. This allows untrusted strings, such as project names or descriptions from external GitHub repositories, to inject arbitrary HTML or JavaScript into the templates during the render calls (lines 43, 56, 68, 80).
  • [DATA_EXFILTRATION]: Unsafe HTML rendering within the visual generation component creates a risk for local data exposure.
  • Evidence: The rendered HTML, which may contain injected scripts, is passed to html2image (line 28 in src/visual/composer.py) for rendering in a headless browser. A malicious repository author could use a project name or description containing script tags to perform a Cross-Site Scripting (XSS) attack against the local renderer. In many configurations, this can be leveraged to read sensitive local files (e.g., file:///etc/passwd or the .env file containing the user's API keys) using browser APIs like fetch() and exfiltrate them to a remote server.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 27, 2026, 07:17 AM