qa
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted web content from user-specified URLs which creates a surface for indirect prompt injection.\n
- Ingestion points: Web page content, HTML navigation links, and console logs are fetched via the
browsetool (SKILL.md).\n - Boundary markers: Absent. The instructions lack specific delimiters or "ignore" instructions to prevent the agent from obeying commands embedded in the target website.\n
- Capability inventory: The agent uses a
browsetool to navigate, click elements, fill forms, and take screenshots (SKILL.md).\n - Sanitization: Absent. Content from external URLs is not validated or sanitized before being used to influence the agent's workflow.\n- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands and interact with a specialized 'browse' binary.\n
- Evidence: The instructions use bash snippets for binary location and directory creation (SKILL.md).\n- [SAFE]: The skill includes explicit instructions to redact sensitive information.\n
- Evidence: Rules state that passwords should be replaced with
[REDACTED]in reports (SKILL.md).\n- [NO_CODE]: This skill consists of instructions and templates without providing any executable scripts or source code directly in the repository files.
Audit Metadata