web-search-plus
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Prompt Injection (HIGH): The skill creates a high-severity surface for Indirect Prompt Injection by ingesting untrusted web search results from Serper, Tavily, and Exa. Ingestion points: external content retrieved from the web via
scripts/search.py. Boundary markers: none identified in the configuration or script calls to delimit untrusted data. Capability inventory: the skill utilizes local script execution which may be influenced by injected instructions. Sanitization: no evidence of content filtering or escaping is present in the provided files. - Command Execution (LOW): The skill executes a local Python script (
scripts/search.py) to perform its functions, as demonstrated intest-auto-routing.sh. This is standard for the tool's architecture but represents an invocation of the system shell and local interpreter. - Data Exfiltration (MEDIUM): User-provided search queries are transmitted to third-party search APIs (Serper, Tavily, and Exa). While necessary for the skill's operation, this behavior involves sending potentially sensitive user intent data to external entities.
Recommendations
- AI detected serious security threats
Audit Metadata