summer-school-finder
Warn
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands that incorporate variables (
{PROGRAM_URL}and{SAFE_NAME}) sourced from web searches and agent-generated identifiers. Interpolating these values directly into a bash command string (e.g.,tinyfish agent run --url "{PROGRAM_URL}" ... > /tmp/ssf_{SAFE_NAME}.json &) without explicit sanitization or validation instructions creates a command injection vulnerability if the variables contain shell metacharacters such as double quotes, semicolons, or backticks.\n- [PROMPT_INJECTION]: The skill scrapes and processes untrusted content from multiple university program pages, creating an indirect injection surface.\n - Ingestion points: Data is fetched via the
tinyfishtool, saved to files in/tmp, and then read back into the agent's context usingcatinSKILL.md.\n - Boundary markers: While the
tinyfishagent is given limits on its own navigation, the main agent processes the aggregated results without clear delimiters or instructions to ignore embedded instructions in the scraped data.\n - Capability inventory: The skill possesses shell access (including the ability to run the
tinyfishtool and standard utilities) and file system read/write access to/tmp.\n - Sanitization: No sanitization, escaping, or schema validation is performed on the scraped content before it is presented to the agent for ranking and analysis.\n- [EXTERNAL_DOWNLOADS]: The skill performs outbound network requests to 7-8 different external university websites to scrape program details. While this is the intended functionality, it involves interacting with untrusted third-party domains.
Audit Metadata