The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill processes untrusted external content and possesses capabilities that can be triggered by that content.
Ingestion points: scripts/validate-urls.py reads file content using Path.read_text() to find URLs.
Boundary markers: Absent. No delimiters or instructions are provided to the agent to disregard instructions within analyzed files.
Capability inventory: The requests.head() function performs network operations; Path.read_text() performs file reads.
Sanitization: Absent. The script does not validate target domains or block private IP ranges (e.g., 127.0.0.1, 169.254.169.254), enabling SSRF attacks.
Data Exfiltration (HIGH): The validation script allows for Server-Side Request Forgery (SSRF). By providing a file containing URLs for internal services or cloud metadata endpoints, an attacker can use the agent's environment to scan local networks or exfiltrate sensitive environment info via headers or redirects.
Command Execution (MEDIUM): The skill relies on a Python script that accepts local file paths. If an agent is manipulated into passing sensitive system paths (e.g., ~/.aws/credentials), the script will read the file and attempt to process it for URLs, potentially exposing information in logs or results.
External Downloads (LOW): The script depends on the requests library. While a common and reputable package, it is not part of the standard library and is not pinned to a specific version, representing a minor supply chain best-practice violation.
Metadata Poisoning (LOW): The SKILL.md documentation incorrectly references scripts/validate_urls.py, whereas the provided file is named scripts/validate-urls.py. This discrepancy can lead to execution errors or confusion.

url-analysis