The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to run shell commands for project detection (git remote get-url origin) and content extraction (defuddle <url>). Directly passing a user-provided or externally-sourced URL into a shell command is a known vulnerability pattern for command injection if the agent does not properly escape the input.\n- [PROMPT_INJECTION]: The instructions include patterns associated with prompt injection, such as "ignore previous instructions." In this context, these patterns are used defensively within a 'Content Trust Boundary' section. The skill explicitly directs the agent to ignore any instructions embedded in fetched web content and treat it strictly as data to be processed.\n- [EXTERNAL_DOWNLOADS]: The core functionality of the skill involves retrieving content from arbitrary external URLs provided by the user via the WebFetch tool or the defuddle CLI. This involves processing untrusted data from the public internet.\n- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection (Category 8) due to its processing of untrusted web data.\n
Ingestion points: Web content retrieved via WebFetch or defuddle output (SKILL.md).\n
Boundary markers: Present; the skill defines a 'Content Trust Boundary' to separate instructions from distilled content.\n
Capability inventory: The skill is capable of writing to the local filesystem (Obsidian vault) and executing shell commands (git, defuddle).\n
Sanitization: Absent; the skill relies on the LLM's adherence to negative constraints rather than automated data sanitization or structural isolation.

ingest-url