web-fetch
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Prompt Injection (MEDIUM): The skill is a conduit for Indirect Prompt Injection. It fetches arbitrary content from the internet and feeds it into the agent's context for 'analysis'. Malicious instructions embedded in the fetched webpages could hijack the agent's logic or influence subsequent actions.
- Ingestion points: The
--urlparameter passed toscripts/web_fetch.pyis the entry point for untrusted data. - Boundary markers: The documentation does not mention any delimiters or instructions for the agent to ignore instructions found within the fetched content.
- Capability inventory: The skill allows the agent to read external data, which is then used for reasoning. If the agent has additional capabilities (like file writing or further tool use), the risk increases.
- Sanitization: While 'URL validation' is mentioned, there is no mention of sanitizing the content of the webpage to remove potentially malicious LLM-targeted instructions.
- Command Execution (LOW): The skill relies on executing a local Python script via
uv. While this is standard for agent skills, it involves local process spawning. - Evidence:
uv run --script scripts/web_fetch.py. - External Downloads (LOW): The skill makes outbound network requests to the Jina Reader API and the target URL specified by the user. This is expected behavior but represents an external data flow.
- Evidence: Use of 'Jina Reader API' to fetch webpage content.
Audit Metadata