The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. Ingestion points: Content is fetched from arbitrary, user-provided URLs as described in SKILL.md. Boundary markers: No delimiters or instructions to ignore embedded commands are specified in the summarization process (Step 5). Capability inventory: The skill has the ability to write to the local filesystem (Step 7) and execute shell commands (Step 2). Sanitization: While filename sanitization is implemented, there is no sanitization or escaping of the fetched article content before it is processed by the agent.- [COMMAND_EXECUTION]: The skill executes shell commands via the exec tool and shell redirection. Evidence in SKILL.md shows use of 'exec("sleep 3")' for timing and 'curl' for fetching content directly to a temporary file. While primarily operational, these commands involve user-provided URLs which could present risks.- [DATA_EXFILTRATION]: The skill performs network and filesystem operations that could lead to data exposure. It accesses user-provided URLs and writes resulting data to a user-specified directory path. This provides the agent with broad filesystem access for writing content.- [EXTERNAL_DOWNLOADS]: The skill is designed to fetch content from external sources. It uses the browser tool, web_fetch, and curl to download web content from any URL provided by the user, as detailed in the Step 2 workflow of SKILL.md.

url-summary