The Agent Skills Directory

[DATA_EXFILTRATION]: The skill can be used to access and expose local system files. The fetchOnce function in runtime/webfetch-plus.mjs uses page.goto(options.url) without protocol restrictions. This allows the tool to fetch and read sensitive local files (e.g., via file:///etc/passwd) if a user or a malicious prompt provides such a URL, which the skill then processes and returns to the agent context.
[COMMAND_EXECUTION]: The wrapper script bin/wfp.sh is vulnerable to argument injection. It passes the unquoted variable $URL_AND_ARGS to the Node.js execution command. This allows the injection of extra flags like --out or --output-dir into the underlying script, which can be leveraged to create or overwrite unauthorized files on the system.
[EXTERNAL_DOWNLOADS]: The skill performs automatic runtime downloads. The script bin/wfp.sh executes npm install if dependencies are missing, and runtime/webfetch-plus.mjs may download a custom, pre-patched Chromium binary (~100MB) from remote sources when stealth mode is activated.
[PROMPT_INJECTION]: The skill presents a high surface area for indirect prompt injection. Since its primary function is to fetch and process arbitrary web content for the LLM, a maliciously crafted web page could include instructions designed to override the agent's behavior or bypass security filters once the content is ingested.
[COMMAND_EXECUTION]: The skill discovers the local environment by executing shell commands. The resolveChromeBinary function uses execSync to run system utilities like mdfind, which, and where to locate browser binaries. While the search terms are hardcoded, this represents runtime command execution based on the environment.

webfetch-plus