The Agent Skills Directory

[PROMPT_INJECTION]: The skill is highly susceptible to Indirect Prompt Injection. The hn-deepdive.sh script fetches raw content from external URLs provided by the Hacker News API and interpolates it directly into a prompt for a sub-agent (pi). There are no boundary markers or instructions to the sub-agent to ignore embedded commands within the fetched content.
Ingestion points: hn-deepdive.sh uses curl to fetch article content from $ARTICLE_URL and story comments via hn-cli.sh.
Boundary markers: Absent. External content is concatenated directly into the instructions for the pi sub-agent.
Capability inventory: The skill can read/write local files (~/Stuff/...), perform network operations via curl, and execute subprocesses.
Sanitization: Absent. The skill instructions specifically tell the agent to 'Automatically run a second deep dive' if a link is found, creating a chain that could be exploited by an attacker.
[COMMAND_EXECUTION]: The hn-deepdive.sh script performs unsafe string construction for the sub-agent's tasks. It includes a shell command string (curl -sL '$ARTICLE_URL' | pandoc ...) inside the prompt sent to the pi tool. If the sub-agent is configured to execute commands and the $ARTICLE_URL contains shell metacharacters or escape sequences, it could lead to command injection within the sub-agent's environment.
[EXTERNAL_DOWNLOADS]: The skill makes extensive use of external APIs (Hacker News Firebase API and Algolia Search API) and fetches content from arbitrary websites during the 'deep-dive' process. While these are core to its functionality, the lack of sanitization on the fetched data presents a risk.

hackernews