web-search-pro
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill connects to multiple external search providers (including Tavily, Exa, Serper, and Perplexity) and arbitrary user-specified URLs to retrieve information. These operations are essential to its function and are governed by a security validation layer in scripts/lib/url-safety.mjs.
- [COMMAND_EXECUTION]: The skill executes local system binaries, specifically curl for baseline network requests and headless browsers (Chromium, Chrome, or Edge) for rendering JavaScript-heavy pages. These subprocesses are managed using safe execution patterns (execFile and spawn with argument arrays), preventing shell injection vulnerabilities.
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it processes untrusted data from the live web.
- Ingestion points: Web content enters the system via scripts/lib/web-fetch.mjs and scripts/lib/render-fetch.mjs.
- Boundary markers: The retrieved content is structured in JSON or wrapped in Markdown blocks in the output layer (scripts/lib/output.mjs).
- Capability inventory: The skill can execute subprocesses (curl, browser) and write to local state files (.cache/web-search-pro).
- Sanitization: Content is sanitized by stripping HTML tags (scripts/lib/html-text.mjs) and applying noise filters to remove boilerplate and interstitial pages (scripts/lib/research/document-quality.mjs).
- [SAFE]: The implementation demonstrates high security maturity. It includes dedicated modules for URL safety (scripts/lib/url-safety.mjs) that actively block access to localhost, private networks, and internal cloud metadata services. Additionally, the browser rendering lane supports same-origin-only navigation policies to prevent cross-site leaks during extraction.
Audit Metadata