competitive-ads-extractor
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONNO_CODE
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's primary function is to ingest untrusted data from external sources (Facebook and LinkedIn Ad Libraries) and analyze it. This creates a critical attack surface where an attacker can place malicious instructions inside an ad's copy to hijack the agent's behavior during the analysis phase. * Ingestion points: Web content from Facebook Ad Library and LinkedIn. * Boundary markers: None. The skill does not define delimiters to separate instructions from scraped data. * Capability inventory: Network access (scraping) and file system write access (
~/competitor-ads/). * Sanitization: None. The skill analyzes 'messaging' directly, which involves passing untrusted strings to the LLM. - [Data Exfiltration] (MEDIUM): The skill specifies saving data to the user's home directory (
~/competitor-ads/). In the event of a prompt injection, an attacker could manipulate the agent to read sensitive files from the home directory (such as SSH keys or environment variables) and exfiltrate them via the scraping network connection. - [No Code] (INFO): The provided file only contains the markdown description and instructions. The actual executable scripts (Python or Node.js) required to perform the scraping, screenshot capture, and file operations are missing, making it impossible to verify the safety of the implementation logic.
Recommendations
- AI detected serious security threats
Audit Metadata