The Agent Skills Directory

[COMMAND_EXECUTION]: The workflow in Phase 1 directly interpolates the user-provided '$ARGUMENTS' variable into shell commands including 'basename' and 'curl' without quoting or escaping. This allows an attacker to execute arbitrary shell commands by providing a crafted PDF filename or URL (e.g., using shell metacharacters like backticks or semicolons).- [REMOTE_CODE_EXECUTION]: Phase 5 executes a Python one-liner using 'python3 -c' that interpolates the '<out_dir>' variable into a string literal. A directory name containing a single quote could be used to break out of the string and execute arbitrary Python code.- [DATA_EXFILTRATION]: The combined vulnerabilities in command execution allow for the exfiltration of sensitive files from the environment using toolsets like 'curl' or 'wget' which are explicitly mentioned in the dependencies.- [PROMPT_INJECTION]: The skill processes the entire content of untrusted PDF files to generate website outlines and content. There are no boundary markers, delimiters, or instructions provided to the agent to ignore potentially malicious instructions embedded within the PDF text (Indirect Prompt Injection). Ingestion points: Phase 2 and 3 (Reading all pages and planning sections). Capability inventory: Subprocess calls in 'pdf_to_images.py', 'crop.py', 'generate_web.py', and shell execution.- [EXTERNAL_DOWNLOADS]: The skill uses 'curl' to download PDF files from arbitrary HTTP/HTTPS URLs provided as input. While this is a core feature, it introduces a network boundary crossing with untrusted data.

glmv-pdf-to-web