article-extractor
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests untrusted technical articles from mql5.com and processes them into markdown for agent consumption. 1. Ingestion points: HTML content fetched via curl and Playwright from mql5.com (referenced in extraction-modes.md and troubleshooting.md). 2. Boundary markers: Frontmatter limits scope to mql5.com, but no instructions prevent the agent from obeying instructions embedded within the extracted articles. 3. Capability inventory: The skill has Bash and Read permissions, and executes several local Python/Shell scripts (mql5_extract.py, extract_all_python_docs.sh). 4. Sanitization: No sanitization or escaping of the scraped HTML/Markdown is described in the skill instructions.
- Command Execution (MEDIUM): The skill frequently uses the Bash tool to execute local Python scripts and shell scripts. While paths are relative to $HOME/eon/mql5, this capability provides a side-effect vector if the agent is misled by injected content from mql5.com.
- Metadata Poisoning (LOW): Contradictory security notes in troubleshooting.md claim 'No network tools allowed' while extraction-modes.md explicitly instructs the use of curl. This misleading metadata could cause an operator to misjudge the skill's actual network footprint.
Recommendations
- AI detected serious security threats
Audit Metadata