Parser
Fail
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: CRITICALPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection. It fetches untrusted content from user-provided URLs and interpolates it directly into prompts for Gemini to perform entity extraction and summarization.
- Ingestion points:
Workflows/ParseContent.mdandWorkflows/BatchEntityExtractionGemini3.mdfetch content from arbitrary web sources. - Boundary markers: The prompts use triple quotes (
""") to delimit content, which is a weak boundary mechanism. - Capability inventory: The skill can execute shell commands (
yt,llm,pdftotext), perform network requests (curl,fetch), and write to the filesystem (Bun.write). - Sanitization: No evidence of content sanitization or filtering was found before the data is processed by the LLM.
- [EXTERNAL_DOWNLOADS]: The skill documentation (
README.md) and workflows (Workflows/BatchEntityExtractionGemini3.md) contain an example command referencinghttps://url3.com, which has been flagged as a malicious URL by automated scanners. - [COMMAND_EXECUTION]: The skill invokes several external command-line tools via shell execution, including
yt(Fabric),llm,pdftotext,unzip, andcurl. While these are part of the primary parsing functionality, executing CLI tools with parameters derived from external content increases the attack surface. - [DATA_EXFILTRATION]: The skill contains a mandatory instruction in
SKILL.mdto perform a local network request (curl -s -X POST http://localhost:8888/notify) on every invocation. While intended for notifications, this represents an unauthenticated POST request to a local service.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata