article-extractor
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill constructs Bash commands by directly interpolating the ARTICLE_URL variable (e.g., reader "$ARTICLE_URL"). This allows an attacker to execute arbitrary shell commands by providing a URL containing metacharacters such as semicolons or backticks.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill instructions suggest installing external packages like trafilatura via pip and reader-cli via npm. Installing third-party software globally introduces risks of supply chain attacks and system environment modification.
- REMOTE_CODE_EXECUTION (MEDIUM): The command injection vulnerability provides a direct path for remote code execution. Additionally, the fallback extraction method uses python3 -c to execute a block of Python code, which is a form of dynamic code execution.
- PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8). It scrapes untrusted content from the web and presents it to the agent without using boundary markers or sanitization. Evidence: 1. Ingestion point: Content downloaded from ARTICLE_URL. 2. Boundary markers: Absent. 3. Capability inventory: Bash (curl, npm, pip, mv, rm), Write. 4. Sanitization: Absent for extracted article text.
Recommendations
- AI detected serious security threats
Audit Metadata