The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because its core functionality relies on parsing untrusted HTML and CSS from third-party websites.
Ingestion points: The skill ingests untrusted content from source URLs or HTML snapshots into the agent's context during the 'Wave 0' extraction phase, as detailed in references/foundations-agent.md and scripts/extract-styles.sh.
Boundary markers: The instructions do not provide explicit boundary markers or directions for the agent to ignore potential instructions embedded within the untrusted source data (e.g., hidden HTML comments or CSS content).
Capability inventory: The agent has the capability to write files to the local file system, execute shell scripts, and run build commands such as npm install and npm run build (documented in SKILL.md and references/system-template.md).
Sanitization: While the provided shell scripts include basic character escaping for JSON generation, there is no evidence of sanitization at the prompt level to prevent the LLM from obeying instructions found in the external content.
[COMMAND_EXECUTION]: The script scripts/capture-url.sh executes a command string provided via the --browser-command flag or the BROWSER_CAPTURE_CMD environment variable using sh -c. This allows for arbitrary shell command execution as part of the browser capture process.
[EXTERNAL_DOWNLOADS]: The skill downloads various assets, including CSS, JS, fonts, and images, from external URLs discovered in the target website's HTML, as described in references/capture-workflow.md and references/foundations-agent.md. While these are processed as data, they originate from untrusted external sources.

convert-url-to-nextjs