The Agent Skills Directory

[PROMPT_INJECTION]: Indirect Prompt Injection Risk. The skill's core purpose is to retrieve and process arbitrary content from the web via Exa. This external content is untrusted and may contain malicious instructions designed to manipulate the agent's logic or extract sensitive information.
Ingestion points: Web content retrieved through scripts/exa_search.py and scripts/exa_extract.py.
Boundary markers: While the reference files instruct the agent to parse JSON output and synthesize a response, they lack specific delimiters or instructions to ignore potential commands embedded within the retrieved content.
Capability inventory: The skill utilizes subprocess execution (via uv run) and file system writes (via the -o output flag in scripts).
Sanitization: There is no evidence of content sanitization or filtering to remove potential injection strings from the fetched web data before processing.
[COMMAND_EXECUTION]: Command Injection Surface. The reference files (references/web-search.md and references/web-extract.md) provide shell command templates that interpolate variables like $ARGUMENTS and $FILENAME. This creates a vulnerability if the agent fails to sanitize user-provided input before executing these shell commands.
[EXTERNAL_DOWNLOADS]: Standard Dependency Management. The skill utilizes uv run --with exa-py and suggests installing python-dotenv. These dependencies are sourced from PyPI, a standard and well-known registry. The exa-py library is the official client for Exa, which is a well-known technology service.

exa-search