The Agent Skills Directory

EXTERNAL_DOWNLOADS (MEDIUM): The script scripts/extract-website.sh performs an automated npm install in the lib/website-extractor directory during its first run. This behavior downloads third-party packages from the public npm registry at runtime, which can be a vector for supply chain attacks if dependencies are compromised.
COMMAND_EXECUTION (MEDIUM): The SKILL.md file grants the agent broad permissions to execute node and npm commands via the shell. While intended for the skill's operation, this provides a large attack surface for potential command injection or execution of malicious scripts.
DATA_EXFILTRATION (LOW): The script scripts/detect-recording.sh is designed to scan sensitive user directories, including ~/Desktop, ~/Downloads, and ~/Movies, to locate recent screen recordings. While this is a core feature, it involves scanning areas that may contain unrelated sensitive information.
PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection (Category 8). It processes content from arbitrary URLs and screen recordings provided by the user. An attacker could embed malicious instructions in the visual or metadata layers of a website or recording to influence the agent's subsequent actions.
Ingestion points: scripts/record-website.sh (URL input) and scripts/extract-frames.sh (Video file input).
Boundary markers: No specific delimiters or "ignore embedded instructions" warnings were found in the provided analysis prompts.
Capability inventory: The skill possesses Read, Write, npm, and node execution capabilities.
Sanitization: There is no evidence of sanitization or filtering of the content extracted from the external sources before it is analyzed by the agent.

ui-extractor