crawl4ai
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest untrusted data from external websites via
AsyncWebCrawler.arun(documented inscripts/basic_crawler.pyandscripts/batch_crawler.py). There are no boundary markers or sanitization of the fetched content. The agent has the capability to write files (e.g.,output.md,batch_results.json) and execute subprocesses (viatests/run_all_tests.py), creating a high-risk surface where a malicious website could take control of the agent's logic. - Command Execution (MEDIUM): The skill supports the
js_codeparameter inSKILL.mdandreferences/cli-guide.md, which enables the execution of arbitrary JavaScript within the browser context. This allows for dynamic code execution that could be manipulated by an attacker to steal session data or perform browser-side exploitation. - Data Exposure (LOW): As a general-purpose crawler, the skill can be used for Server-Side Request Forgery (SSRF) to access internal network resources or cloud provider metadata services if the agent does not enforce strict URL filtering.
Recommendations
- AI detected serious security threats
Audit Metadata