bearblog
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection because it reads and processes content from an external source (the Bear Blog dashboard).
- Ingestion points: The skill reads data from
div#header_contentandtextarea#body_contentwhen editing posts or listing content inexamples/browser-api-reference.md. - Boundary markers: No specific boundary markers or instructions to ignore embedded commands are present in the processing logic.
- Capability inventory: The skill utilizes a browser tool capable of navigation, element interaction, and arbitrary JavaScript execution via
evaluate. - Sanitization: No sanitization or validation of the retrieved content is described before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill uses the browser tool's
evaluatefunction to execute JavaScript within the context of the web page. - Evidence: Examples in
examples/browser-api-reference.mddemonstrate usingPOST /act {"kind": "evaluate", "fn": "..."}to manipulate the DOM, override browser dialogs (window.confirm), and extract data. - Context: These executions are localized to the browser environment and are standard for automated web interaction tasks defined in the skill's workflow.
Audit Metadata