Skills
skills/yonatangross/orchestkit/web-research-workflow/Gen Agent Trust Hub

web-research-workflow

Warn

Audited by Gen Agent Trust Hub on Feb 20, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • Data Exposure & Exfiltration (MEDIUM): The skill saves browser session states, which may include sensitive authentication cookies and tokens, to /tmp/session-example.json in rules/browser-patterns.md. In shared or multi-agent environments, this file could be read by unauthorized processes.\n- Dynamic Execution (MEDIUM): The skill utilizes agent-browser eval to execute JavaScript snippets on external web pages for data extraction as seen in rules/browser-patterns.md and rules/monitoring-competitor.md. This dynamic execution against untrusted DOM structures could be exploited if a malicious site is designed to manipulate the extraction logic.\n- Indirect Prompt Injection (LOW): The skill ingests untrusted data from the web through multiple tiers (WebFetch, Tavily, agent-browser), creating a surface for injection.\n
  • Ingestion points: WebFetch tool, Tavily API responses (Search, Extract, Crawl), and browser DOM content.\n
  • Boundary markers: Absent; no explicit delimiters or system instructions are provided to the agent to ignore or isolate instructions found within the scraped content.\n
  • Capability inventory: Bash (curl for API calls), Write (saving snapshots/diffs), WebFetch, and agent-browser.\n
  • Sanitization: Absent; scraped data is processed directly via jq and diff without validation or escaping.\n- Data Exposure & Exfiltration (LOW): The skill transmits user-defined queries and an API key (TAVILY_API_KEY) to api.tavily.com. While this is core to its functionality, it represents data flow to a non-whitelisted third-party service.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 20, 2026, 10:27 PM