dogfood
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it systematically navigates to and ingests content from external, user-provided URLs. A malicious website could contain hidden instructions that attempt to redirect the agent's behavior or capture sensitive session data during the exploration phase.
- Ingestion points: Web content and console data are read using 'agent-browser snapshot' and 'agent-browser console' in SKILL.md.
- Boundary markers: No explicit delimiters or 'ignore instructions' warnings are provided to the agent when processing page content.
- Capability inventory: The agent has the ability to execute shell commands ('mkdir', 'cp') and control a web browser ('agent-browser').
- Sanitization: There is no evidence of sanitization or filtering of the content retrieved from the target application before it is processed by the agent.
- [COMMAND_EXECUTION]: The workflow involves constructing and executing shell commands (such as 'mkdir' and 'cp') using variables like {SESSION} and {OUTPUT_DIR}. If these variables contain unsanitized input derived from a malicious website or user, they could be exploited to perform command injection.
- [CREDENTIALS_UNSAFE]: The skill facilitates an authentication workflow where the agent handles credentials ('{EMAIL}', '{PASSWORD}') and saves session state to 'auth-state.json'. While necessary for the skill's purpose, this results in the local storage of sensitive session tokens in the output directory.
Audit Metadata