The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/url_to_md.sh accepts a user-controlled output filename as the second command-line argument without performing any path validation or sanitization. This allows for path traversal attacks where an attacker could specify sensitive locations (e.g., ~/.bashrc or ~/.ssh/authorized_keys) to overwrite or create files with arbitrary web content.
[EXTERNAL_DOWNLOADS]: The bash script uses uv run --with to dynamically fetch and install the requests, trafilatura, and markdownify packages from the Python Package Index (PyPI) at runtime. Executing code from external registries during execution introduces a supply chain risk, as the integrity of these packages is not verified by the skill itself.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes raw content from external URLs. Malicious instructions embedded in a webpage (e.g., hidden in HTML comments or prose) could be extracted into the resulting markdown file and subsequently interpreted as instructions by the AI agent when it reads that file as context.
Ingestion points: The fetch_html function in scripts/url_to_md.sh retrieves content from arbitrary URLs.
Boundary markers: None. The retrieved content is directly converted and saved without delimiters or warnings.
Capability inventory: The script has file-write capabilities (open(output, 'w')) and network-read capabilities (requests.get).
Sanitization: None. While the script cleans 'noise' like subscription prompts, it does not filter for potential malicious instructions or script tags.
[DATA_EXFILTRATION]: The skill can be used to make outbound network requests to any URL provided. While intended for article extraction, this could be leveraged to perform Server-Side Request Forgery (SSRF) against internal network metadata services or private infrastructure if the environment is not properly isolated.

url-to-markdown