The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill retrieves content through third-party proxy services including defuddle.md and r.jina.ai. It also provides instructions for downloading and installing various system and language dependencies such as playwright, marker-pdf, and poppler.
[REMOTE_CODE_EXECUTION]: The scripts/fetch.sh script executes npx --yes agent-fetch, which downloads and runs a package from the npm registry at runtime. Similarly, scripts/fetch_weixin.py triggers the installation of the Chromium browser via playwright install chromium.
[COMMAND_EXECUTION]: The skill runs shell and Python scripts to handle document fetching and parsing, passing user-controlled URLs and file paths as arguments to commands like curl, pdftotext, and npx.
[DATA_EXFILTRATION]: User-provided URLs, which may contain sensitive or private identifiers, are transmitted to external services (defuddle.md, r.jina.ai) for the purpose of content conversion.
[PROMPT_INJECTION]: The skill's core functionality of ingesting and rendering arbitrary web content creates an indirect prompt injection attack surface.
Ingestion points: Untrusted data enters the agent context via fetch.sh, fetch_feishu.py, and fetch_weixin.py when processing user-provided URLs or PDFs.
Boundary markers: There are no explicit delimiters or instructions to ignore potential commands embedded within the fetched Markdown content.
Capability inventory: The skill possesses capabilities for network requests, shell command execution, and writing files to the user's ~/Downloads directory.
Sanitization: Content is parsed into Markdown, which removes active code elements like scripts but does not filter for natural language instructions that could influence the agent's behavior.

read