rss-aggregator
Warn
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (MEDIUM): The skill is susceptible to Indirect Prompt Injection by ingesting untrusted data from external RSS feeds.
- Ingestion points: The
scripts/aggregate.pyscript fetches and parses content from URLs defined inreferences/feeds.opml. - Boundary markers: The output format (Markdown) lacks explicit delimiters or encapsulation for the external content. This allows malicious instructions embedded in a feed to blend seamlessly with the agent's context.
- Capability inventory: The script performs network read operations. While the script itself has limited side effects, its output directly influences the agent's reasoning and could trick the agent into misusing other high-privilege tools (e.g., file modification or command execution).
- Sanitization: The
clean_summaryfunction removes HTML tags but does not filter for natural language instructions or adversarial content designed to bypass AI safety guidelines. - COMMAND_EXECUTION (LOW): The skill relies on
uv runto execute local Python scripts. While standard, it assumes the integrity of the local environment and the provided scripts. - UNSAFE_PARSING (LOW): The script uses
xml.etree.ElementTreeto parse the OPML file. This standard library is vulnerable to XML External Entity (XXE) attacks if the input file is maliciously crafted or modified, which could lead to local file disclosure.
Audit Metadata