web-fetch-linkup
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (CRITICAL): The
SKILL.mdfile contains a workflow that instructs the agent to execute a Python script by interpolating a user-provided URL into a bash command:python3 .claude/skills/web-fetch-linkup/fetch.py "<URL>". An attacker can escape the double quotes by providing a URL containing shell metacharacters, such ashttps://example.com"; [malicious_command]; ", which leads to Remote Code Execution (RCE) on the host environment.\n- PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8).\n - Ingestion points: Web content retrieved from arbitrary URLs via
fetch.pyand the Linkup API.\n - Boundary markers: Absent. The skill provides no delimiters or explicit instructions for the agent to ignore instructions embedded within the fetched markdown.\n
- Capability inventory: The skill includes shell execution capabilities and file-write operations (creating files in
fetched-content/).\n - Sanitization: Absent. The script performs no filtering or sanitization of the fetched content before it is processed by the agent and saved to the filesystem.\n- EXTERNAL_DOWNLOADS (LOW): The script performs network POST requests to
https://api.linkup.so/v1/fetch. While necessary for the skill's purpose, this represents a network dependency on a non-whitelisted domain.
Recommendations
- AI detected serious security threats
Audit Metadata