paw-mkt-pr
Warn
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute local shell and batch scripts located in a directory outside the skill's own folder, specifically
./skills/paw-mkt-setup/assets/scripts/tool-discovery.shand./skills/paw-mkt-setup/assets/scripts/chrome-profiles.sh(found inreferences/shared-patterns.md). - [DATA_EXFILTRATION]: The skill provides instructions for accessing and managing sensitive browser session data. It directs the agent to discover local Chrome profile paths (e.g.,
~/.linkedin-profile) and to save authentication states to files like./my-auth.json, which the skill explicitly notes contain 'sensitive session tokens in plaintext' (found inreferences/shared-patterns.md). This creates a risk of credential exposure if the agent is compromised. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its web scraping capabilities (found in
references/research-mode.mdandreferences/shared-patterns.md). - Ingestion points: The agent fetches and processes text from external websites including Google News, LinkedIn, HARO, and competitor sites via
agent-browser. - Boundary markers: There are no instructions to use delimiters or ignore embedded instructions when processing fetched web content.
- Capability inventory: The agent has the ability to execute shell scripts, write files to the brand workspace, and perform further browser-based interactions.
- Sanitization: There is no evidence of sanitization or validation of the content retrieved from external URLs before it is processed by the agent.
- [EXTERNAL_DOWNLOADS]: The skill recommends installing the
agent-browsertool from Vercel Labs' GitHub repository usingnpx(found inreferences/shared-patterns.md).
Audit Metadata