The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The package.json and package-lock.json files specify versions for several dependencies that are significantly higher than the current official stable releases (e.g., dotenv@17.4.2, typescript@6.0.3, @types/node@25.6.0, and esbuild@0.27.7). This pattern is frequently associated with dependency confusion or supply-chain attacks. Additionally, automated scans explicitly flagged the esbuild download URL (https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.7.tgz) as malicious.
[COMMAND_EXECUTION]: The script scripts/x-bookmarks.ts shells out to an external binary named xurl using node:child_process's execFile. This introduces a dependency on an unverified third-party CLI tool that must be manually installed and authenticated by the user, providing a vector for local command execution if the binary is compromised or spoofed.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by ingesting untrusted data from the X API and placing it into the agent's context.
Ingestion points: Untrusted data enters the context in scripts/x-bookmarks.ts via the fetchBookmarkPage function which retrieves post text from X.
Boundary markers: Absent. The content is interpolated directly into a markdown template in buildSourceMarkdown without delimiters or instructions to ignore embedded commands.
Capability inventory: The skill has the ability to execute shell commands via execFile and write to the filesystem.
Sanitization: Basic YAML escaping is applied to metadata fields in yamlEscape, but the primary post body is not sanitized or filtered for malicious instructions.

vault-x-bookmarks