Skills
NYC
skills/tavily-ai/tavily-plugins/crawl/Gen Agent Trust Hub

crawl

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [Indirect Prompt Injection] (LOW): The skill is designed to crawl external URLs and return content to the agent's context, which is a significant vector for indirect prompt injection.
  • Ingestion points: The url parameter allows fetching data from any external website.
  • Boundary markers: The skill documentation does not mention any delimiters or instructions to the LLM to ignore embedded commands in the crawled content.
  • Capability inventory: The skill can write crawled content to a local directory (output_dir) and return data to the LLM.
  • Sanitization: There is no evidence of sanitization or filtering of the HTML/Markdown content retrieved from the web.
  • [Data Exposure & Exfiltration] (LOW): The skill communicates with an external API (api.tavily.com) which is not on the default trusted list.
  • Evidence: The skill uses curl to transmit data and requires a TAVILY_API_KEY for authentication. While this is expected behavior for the service, it constitutes an external data flow.
  • [Command Execution] (LOW): The skill invokes a local shell script to perform its operations.
  • Evidence: Examples show the execution of ./scripts/crawl.sh with JSON-formatted user input. Note: The content of crawl.sh was not provided for analysis, which prevents verification of safe argument handling/shell escaping.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 05:36 PM