Skills
NYC
skills/qodex-ai/ai-agent-skills/content-harvest/Gen Agent Trust Hub

content-harvest

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The skill executes multiple shell commands using variables $ARTICLE_URL and $TITLE which are derived from untrusted user input and external web content.
  • Specifically, the mv command and filename construction use the $TITLE variable, which is extracted directly from the <title> tag of arbitrary websites.
  • Using curl | grep or trafilatura --json | python3 to populate shell variables with data from the internet creates a significant risk for command injection or argument injection if the website provides a maliciously crafted title.
  • [EXTERNAL_DOWNLOADS] (HIGH): The skill suggests or performs the installation of third-party packages at runtime using npm install -g and pip3 install.
  • While @mozilla/readability-cli is from a trusted organization, trafilatura and reader-cli are not.
  • Downloading and installing packages from public registries is a major security risk as it can lead to the execution of unverified third-party code or supply chain attacks.
  • [REMOTE_CODE_EXECUTION] (MEDIUM): The skill uses python3 -c to execute embedded scripts that process data directly from curl. This creates a dynamic execution environment where the behavior is dependent on external data fetched at runtime.
  • [DATA_EXFILTRATION] (LOW): The skill uses curl and other networking tools to access arbitrary domains provided by the user. While this is the intended purpose of the skill, it creates a surface for network-based attacks or inadvertent data transmission to non-whitelisted domains.
  • [INDIRECT_PROMPT_INJECTION] (LOW): The skill ingests untrusted data from arbitrary web sources.
  • Ingestion points: ARTICLE_URL and the resulting HTML content.
  • Boundary markers: None. The extracted content is saved directly to files without delimiters.
  • Capability inventory: Subprocess calls (reader, trafilatura, curl), file writes (> article.txt), and package management (npm, pip).
  • Sanitization: Basic character stripping is performed for filenames, but no sanitization is performed on the article body itself, making it a vector for indirect prompt injection if the agent subsequently reads the saved file.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 05:55 PM