Skills
skills/panewslab/skills/panews-web-viewer/Gen Agent Trust Hub

panews-web-viewer

Pass

Audited by Gen Agent Trust Hub on Mar 26, 2026

Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The scripts/fetch-page.mjs script accepts arbitrary URLs starting with http or https and returns the response content. This behavior can be exploited for Server-Side Request Forgery (SSRF) or to exfiltrate data to an attacker-controlled server if the agent environment has access to internal services or local sensitive files that can be appended to a URL.
  • [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by retrieving and processing external website content as Markdown.
  • Ingestion points: scripts/fetch-page.mjs fetches content from www.panewslab.com or any URL provided as a command-line argument.
  • Boundary markers: No boundary markers or 'ignore' instructions are used to separate fetched content from the agent's core instructions.
  • Capability inventory: The script uses the Node.js fetch API to retrieve and print network data to stdout.
  • Sanitization: There is no evidence of content sanitization or validation of the Markdown data retrieved from the remote source.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 26, 2026, 02:11 PM