websh
Fail
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: CRITICALEXTERNAL_DOWNLOADSPROMPT_INJECTIONCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The file
commands.mdreferences the URLhttps://short.link/abc, which has been explicitly identified as malicious and blacklisted by security scanners. While used as an example, referencing known malicious domains is a safety violation. - [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection through its automated web browsing and extraction features. Ingestion points: Untrusted HTML content enters the agent's context via the
cd <url>,crawl, andprefetchcommands (documented inSKILL.mdandcommands.md). Boundary markers: The extraction prompt used by the haiku subagent instate/cache.mdlacks delimiters (such as triple quotes or separator lines) and contains no instructions to ignore or isolate commands found within the source HTML. Capability inventory: The agent possesses extensive capabilities, including writing to the local filesystem, executing shell commands for workspace initialization, and spawning further subagents with network access (shell.md,state/cache.md). Sanitization: There is no evidence of HTML sanitization or filtering of fetched content before it is passed to the extraction engine. - [CREDENTIALS_UNSAFE]: The
logincommand incommands.mdand the environment management logic inshell.mdare designed to handle and store sensitive authentication data, including session cookies (COOKIE_*) and authorization headers (HEADER_Authorization). These secrets are stored in plain text within the user's working directory (.websh/session.md). - [COMMAND_EXECUTION]: The workspace initialization logic in
shell.mdutilizes the Bash tool to execute system-level commands likemkdir -pto set up its directory structure.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata