source-tenders
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The scraper (
scraper.py) fetches tender listings from the official Taiwan Government E-Procurement website (web.pcc.gov.tw). The implementation explicitly disables SSL certificate verification (verify_ssl=False), which is a security best practice violation that could expose the data fetching process to interception. - [PROMPT_INJECTION]: The skill processes untrusted content from external web pages, creating an indirect prompt injection surface.
- Ingestion points:
scripts/scraper.pyingests tender titles, agency names, and metadata from theweb.pcc.gov.twdomain. - Boundary markers: No specific delimiters or safety instructions are used to separate scraped data from the agent's control context in the produced JSON files.
- Capability inventory: The skill allows local script execution via
uv runand file access via theopencommand. - Sanitization: While
scripts/analyze.pycorrectly escapes HTML entities to prevent cross-site scripting (XSS) in the generated report, it does not sanitize the input for natural language instructions that could influence the agent during subsequent processing steps. - [COMMAND_EXECUTION]: The skill defines restricted tool usage for executing its own Python scripts and opening the generated HTML analysis report, which is consistent with its stated purpose.
Audit Metadata