ai-research-scraper
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill retrieves information from the web using search results and presents it to the agent without any sanitization or boundary markers in
scraper.py,final_scraper.py, andsimple_scraper.py. - Ingestion points: Untrusted web content is ingested via the output of the
tavily-searchtool inscraper.py. - Boundary markers: None. The script directly parses the tool's output and prints titles and summaries without delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill environment supports command execution (
subprocess.run), making the impact of a successful injection severe. - Sanitization: No escaping or filtering is applied to the retrieved web content before it is processed.
- Command Execution (HIGH): Multiple scripts (
scraper.py,final_scraper.py,simple_scraper.py) utilizesubprocess.runto execute a Node.js script located at a hardcoded path in a different skill's directory (/root/.openclaw/workspace/skills/tavily-search/scripts/search.mjs). Relying on the execution of unverified scripts outside the skill's own package is a dangerous practice. - Credentials Unsafe (LOW): Files such as
scripts/baidu_translate.py,scripts/test_microsoft_translator.py, andscripts/test_youdao_translate.pycontain hardcoded placeholders (e.g., 'YOUR_APP_ID', 'YOUR_API_KEY') for sensitive service credentials. While no active secrets are exposed, the design encourages users to place plain-text credentials in script files.
Recommendations
- AI detected serious security threats
Audit Metadata