defuddle
Warn
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill attempts to install a package from the NPM registry using the command
npm install -g defuddle. This introduces a dependency on a third-party tool that is not part of a known trusted ecosystem, which can pose a supply chain risk if the package is compromised or malicious. - [COMMAND_EXECUTION]: The instructions direct the agent to execute several shell commands, including environment checks (
which defuddle), global package installation, and execution of thedefuddlebinary with various flags. Specifically, it uses the tool's capability to write to the file system using the-oflag. - [PROMPT_INJECTION]: The skill is designed to ingest data from arbitrary external URLs and process them into markdown for the agent's consumption. This creates a surface for indirect prompt injection attacks.
- Ingestion points: Web content is fetched and converted via the
defuddle parse <url>command (SKILL.md). - Boundary markers: The skill lacks explicit instructions for the agent to wrap the scraped content in delimiters or to ignore any instructions found within the processed text.
- Capability inventory: The agent has the ability to execute shell commands, install software, and write files to the local disk (SKILL.md).
- Sanitization: There is no evidence of sanitization or filtering of the extracted text to remove potential injection vectors before it is presented to the agent.
Audit Metadata