web-fetch-linkup
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to fetch and process arbitrary web content, creating a significant attack surface for indirect prompt injection.
- Ingestion points:
fetch.pydownloads content from user-provided URLs. - Boundary markers: The workflow lacks delimiters or instructions to treat fetched content as untrusted data.
- Capability inventory: The agent has the ability to execute shell commands and write files based on the fetched content.
- Sanitization: There is no evidence of sanitization or filtering of the fetched markdown before it is saved or further processed by the agent.
- Command Execution (HIGH): The
SKILL.mdfile instructs the agent to execute a shell command:python3 .claude/skills/web-fetch-linkup/fetch.py "<URL>". - Evidence: This pattern is vulnerable to command injection if an attacker provides a URL containing shell metacharacters (e.g.,
https://example.com"; rm -rf /; #). The agent's reliance on simple string interpolation for shell commands is a high-risk pattern. - Data Exposure (LOW): The skill requires and reads a local
.envfile containing theLINKUP_API_KEY. - Evidence: While necessary for the service, the storage and access of plaintext credentials in the skill directory is a point of concern for data exposure if the environment is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata