The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/compile_report.mjs is vulnerable to shell command injection. It uses execSync to run an open command with a string-interpolated directory path: execSync("open \"${join(dir, 'index.html')}\""). If the directory path contains shell metacharacters like quotes and semicolons, it can result in arbitrary command execution on the host system.
[PROMPT_INJECTION]: The skill exhibits a large attack surface for Indirect Prompt Injection (Category 8). Its primary function is to search for and extract content from arbitrary third-party websites, which is then fed into subagent prompts for synthesis.
Ingestion points: The scripts/extract_page.mjs script (referenced in references/workflow.md) fetches and cleans HTML/Markdown from untrusted URLs.
Boundary markers: The subagent prompt templates in references/workflow.md lack robust boundary markers or "ignore instructions" delimiters for the interpolated web content.
Capability inventory: Subagents are explicitly granted access to the Bash tool to perform their tasks, including file writes and searches.
Sanitization: There is no evidence of sanitization for malicious LLM instructions within the extracted text content. Malicious payloads on researched websites could influence the subagent to execute unauthorized shell commands.
[COMMAND_EXECUTION]: The skill relies on the execution of local binaries (browse CLI) via execFileSync and execSync. While execFileSync is generally safer, the overall pattern of the skill encourages the user to add multiple high-privilege commands to an auto-approval list (permissions.allow in settings.json), which significantly increases the impact of any underlying injection vulnerability.

company-research