web-extractor
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its primary function is to ingest and process untrusted data from external web pages.
- Ingestion points: Untrusted data enters the agent context via
get_page_text,read_network_requests(API Interception), andscreenshotcaptures (Visual Extraction) as described in all five strategies inSKILL.md. - Boundary markers: The skill lacks instructions for the agent to use delimiters or specific 'ignore' directives for content found within the scraped pages, increasing the risk that the agent might obey malicious instructions embedded in the web content.
- Capability inventory: The agent utilizes high-privilege tools including
javascript_tool(browser-side code execution), thecomputertool (mouse/keyboard event simulation), and file writing capabilities to save extracted data. - Sanitization: There is no evidence of content sanitization, filtering, or validation of the external data before it is processed or written to the user's workspace.
Audit Metadata