The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill downloads a compressed ZIP archive containing the RECAP browser extension from an external GitHub repository not identified as a pre-vetted or trusted source.
Evidence: curl -L "https://github.com/freelawproject/recap-chrome/releases/download/2.8.6/chrome-release.zip" -o recap.zip in both SKILL.md and site-patterns.md.
[REMOTE_CODE_EXECUTION]: The skill extracts the downloaded ZIP archive into the agent's tools directory, allowing external binaries/scripts to be loaded and used by the browser automation environment.
Evidence: unzip recap.zip -d recap-extension in SKILL.md.
[COMMAND_EXECUTION]: The skill generates and executes Python scripts (download-documents.py) at runtime to perform complex browser automation and file system operations.
Evidence: Instructions in SKILL.md to "Generate and run a Python script" combined with the templates provided in site-patterns.md.
[PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection because it ingests and processes untrusted data (HTML content, page titles, and metadata) from various external websites using Playwright.
Ingestion points: Document links and titles extracted from DocumentCloud, CourtListener, Scribd, and other archives in site-patterns.md.
Boundary markers: No delimiters or sanitization logic is present to distinguish between retrieved data and instructional content.
Capability inventory: The skill has access to Bash, Write, Read, Glob, and can execute generated Python scripts.
Sanitization: No sanitization or validation of the extracted external content is implemented before it is processed by the agent.

document-hunter