The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides tools for arbitrary code execution, including 'bash' for shell commands and 'browser_eval' for executing JavaScript in a browser context. While the 'bash' tool is described as sandboxed, it still allows for powerful system-level interactions.
[DATA_EXFILTRATION]: The 'vault_get' tool is documented as 'always available', meaning it bypasses the agent's explicit tool whitelist. This allows any agent to retrieve its stored credentials. When combined with network-capable tools like 'http_fetch' or 'email_send', an agent could be manipulated into exfiltrating these secrets.
[EXTERNAL_DOWNLOADS]: The skill enables agents to download and interact with external content via 'http_fetch', 'http_download', and a full suite of browser automation tools ('browser_*').
[PROMPT_INJECTION]: The system is vulnerable to indirect prompt injection. Agents can ingest potentially malicious instructions from external websites or shared project memory and then execute them using their powerful toolset. * Ingestion points: Data enters through 'http_fetch', 'browser_get', 'search_web', and local configuration or memory files. * Boundary markers: There are no documented delimiters or instructions to help the agent distinguish between system instructions and untrusted data. * Capability inventory: The agent has access to 'bash' execution, file writing, email communication, and mandatory credential retrieval via 'vault_get'. * Sanitization: No sanitization or validation mechanisms are mentioned for processing data from external sources.

polpo