web-fetch
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The fetch.sh and metadata.sh scripts are vulnerable to Python code injection via untrusted web content. \n
- Evidence: The scripts use shell heredocs to execute Python logic, interpolating the raw content of a curl fetch directly into a triple-quoted string: html = """$CONTENT""". \n
- Vulnerability: A malicious website can return a payload containing triple quotes (e.g., """; import os; os.system('...'); """) to break out of the Python string literal and execute arbitrary commands on the host machine.
- [COMMAND_EXECUTION]: Unsafe file system access in download.sh. \n
- Evidence: The script accepts an --out parameter that is used directly in a mkdir and curl -o operation without validation. \n
- Risk: An attacker using indirect prompt injection can trick the agent into downloading malicious files and saving them to sensitive system locations like ~/.bashrc or system startup directories.
- [EXTERNAL_DOWNLOADS]: Unrestricted network requests to arbitrary domains. \n
- Evidence: All provided scripts (fetch.sh, download.sh, metadata.sh) perform curl operations to any user-supplied or page-discovered URL without a whitelist or safety filtering.
- [PROMPT_INJECTION]: High vulnerability to indirect prompt injection (Category 8). \n
- Ingestion points: fetch.sh, download.sh, and metadata.sh all ingest untrusted data from the public web. \n
- Boundary markers: None. The skill does not use delimiters or instructions to prevent the agent from obeying commands embedded in fetched web content. \n
- Capability inventory: The skill possesses network access (curl), file system write access (download.sh), and arbitrary code execution (Python injection). \n
- Sanitization: None. The script does not escape or sanitize web content before processing it via shell or Python.
Recommendations
- AI detected serious security threats
Audit Metadata