sustainability-rss-fetch
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection. It ingests untrusted RSS metadata (titles, summaries) from external URLs and passes them to the agent for semantic screening. Because the agent's screening results directly determine which data is persisted or pruned in the shared SQLite database, a malicious feed could use injection techniques to manipulate the database state or the agent's subsequent tasks. Ingestion points: External RSS feeds fetched via the 'collect-window' command. Boundary markers: Absent in the workflow description. Capability inventory: The agent's reasoning leads to subprocess calls to 'scripts/rss_subscribe.py' which writes to a database and local JSON files. Sanitization: None mentioned.
- COMMAND_EXECUTION (HIGH): The core logic script 'scripts/rss_subscribe.py' is missing from the provided skill files. This script is responsible for critical side effects including database initialization, network fetching of feeds, and local file writing. Without the source code, the security of these operations (such as protection against SQL injection or command injection via feed content) cannot be verified.
- EXTERNAL_DOWNLOADS (LOW): The skill performs a runtime installation of the 'feedparser' package via pip. While this is a standard library, installing unversioned dependencies from public registries at runtime introduces a potential supply chain risk.
Recommendations
- AI detected serious security threats
Audit Metadata