The Agent Skills Directory

[COMMAND_EXECUTION]: Step 3 of the SKILL.md file contains a Python code injection vulnerability. It uses a shell command python3 -c with a template containing '''CANDIDATE_LIST_HERE'''. The agent is instructed to replace this placeholder with a list of domains provided by the user. If an input contains triple quotes (e.g., '''; import os; os.system('id'); #), it can escape the string context and execute arbitrary Python code and shell commands on the system.
[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. In Step 4b, it fetches HTML content (titles and descriptions) from the Wayback Machine for specified domains. In Step 4e, this untrusted data is interpolated into a JSON template sent to the Gemini LLM. An attacker who controls an expired domain's historical record could embed malicious instructions in the title or meta description to influence the behavior of the agent during the triage process. Evidence Chain: 1. Ingestion points: Step 4b fetches data from web.archive.org. 2. Boundary markers: Step 4e uses a JSON structure and a system instruction to guide the LLM, but these do not prevent structural injection into the JSON payload. 3. Capability inventory: The skill has access to the shell via curl and python3, and writes files using cat. 4. Sanitization: There is no evidence of sanitization or escaping of the web-fetched content before its inclusion in the prompt template.
[EXTERNAL_DOWNLOADS]: The skill performs multiple network operations to fetch data from web.archive.org and rdap.org. While these are well-known services relevant to the skill's stated purpose, the practice of piping their output directly into a Python interpreter (as seen in Step 4a and 4b) is a significant attack surface if the input data is not strictly validated.

domain-expired-opportunity-finder