competitive-ads-extractor
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's primary function is to ingest and analyze untrusted data from external sources (Facebook and LinkedIn Ad Libraries). An attacker can place instructions within an ad that the agent may interpret as commands during the analysis phase.
- Ingestion points: Facebook Ad Library, LinkedIn ads, and other external ad platforms via web scraping.
- Boundary markers: Absent. The skill does not define delimiters to separate untrusted ad content from the agent's instructions.
- Capability inventory: Capability to write files to the local system (
~/competitor-ads/) and perform network operations (web scraping). - Sanitization: Absent. There is no evidence of filtering or sanitizing the ad copy before analysis.
- [File System Interaction] (LOW): The skill explicitly mentions saving screenshots and reports to the user's home directory (
~/competitor-ads/). While this is a stated feature, this write capability increases the impact of a successful prompt injection attack. - [Command Execution] (MEDIUM): To perform the actions described (scraping and capturing screenshots), the agent must execute subprocesses or dynamic scripts. Without strict controls, this capability can be leveraged by malicious input encountered during scraping.
Recommendations
- AI detected serious security threats
Audit Metadata