skill-a-trend-discovery
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill retrieves HTML content from
www.amazon.cominreference/fetch_amazon_movers.mjs. This is a well-known service and the download is essential for the skill's core functionality of trend discovery. - [COMMAND_EXECUTION]: The file
reference/fetch_amazon_movers.mjsutilizesspawnSyncto execute a Python script string. This is a controlled fallback mechanism used to fetch data when Node.js fetch fails, and it does not involve executing untrusted or dynamic external code. - [PROMPT_INJECTION]: The skill processes data from an external, potentially attacker-controlled source (Amazon product pages), which represents an indirect prompt injection surface. Ingestion points: External HTML content parsed in
fetch_amazon_movers.mjs. Boundary markers: No explicit boundary markers or instructions to ignore embedded content are used when passing the data to the agent. Capability inventory: The skill has the ability to write to the file system and execute subprocesses (viafetch_amazon_movers.mjs). Sanitization: The code performs basic HTML entity decoding and uses regular expressions to extract specific product fields, providing some structural validation.
Audit Metadata