web-content-reader
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it ingests untrusted data from external websites and presents it to the agent. * Ingestion points: The 'url' parameter in 'tool.js' is used to fetch content from the web via 'lib/fetcher.js' and 'lib/renderer.js'. * Boundary markers: Absent. The extracted content is returned within a 'result' object but lacks delimiters or instructions telling the agent to ignore embedded commands. * Capability inventory: The skill uses standard fetch for HTTP requests and 'playwright-core' for full browser rendering. * Sanitization: 'lib/extractor.js' uses 'cheerio' to remove script and style tags, but it does not filter or sanitize the text content for malicious instructions.
- [COMMAND_EXECUTION]: Potential for Server-Side Request Forgery (SSRF). The tool takes a user-supplied 'url' and fetches it without restriction, which could allow an attacker to probe internal network services or access cloud environment metadata endpoints.
Audit Metadata