web-research-workflow
Warn
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The 'rules/browser-patterns.md' file recommends saving browser session states to '/tmp/session-example.json'. Because the /tmp directory is generally world-readable on multi-user systems, session cookies and tokens stored there could be accessed by unauthorized users.\n- [DATA_EXFILTRATION]: The skill transmits search queries and URL data to 'api.tavily.com' to utilize its semantic search and content extraction capabilities. This is a well-known service for AI research.\n- [COMMAND_EXECUTION]: The workflow makes use of 'agent-browser eval' to run JavaScript within the context of target web pages for data extraction purposes. While intended for scraping, this provides a mechanism for script execution in a browser environment.\n- [PROMPT_INJECTION]: By design, this skill processes untrusted content from the web, creating an attack surface for indirect prompt injection. Malicious instructions on a target website could attempt to influence the agent's behavior or exfiltrate data.\n
- Ingestion points: External web content retrieved via 'WebFetch', 'Tavily', and 'agent-browser'.\n
- Boundary markers: The instructions do not include specific delimiters or warnings to isolate untrusted content from the agent's primary reasoning logic.\n
- Capability inventory: The skill utilizes tools such as 'Bash', 'Read', 'Write', and 'WebFetch', which could be leveraged if an injection occurs.\n
- Sanitization: The skill lacks explicit sanitization or validation steps for content fetched from remote servers before it is processed.\n- [EXTERNAL_DOWNLOADS]: The skill is configured to fetch data from arbitrary external URLs as part of its web research and competitor monitoring workflows.
Audit Metadata