The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/tavily.sh is vulnerable to shell command injection. In both the search and extract functions, the $query variable (derived from user input) is placed directly inside a double-quoted string within a curl command. Because the string is double-quoted, the shell interprets command substitutions like $(...) or backticks. An attacker or a malicious prompt could provide a query that executes arbitrary commands on the host system.\n- [CREDENTIALS_UNSAFE]: The script programmatically accesses the system's pass utility (pass show api/tavily) to retrieve sensitive API keys. While functional, this pattern involves access to a sensitive credential store that could be abused.\n- [EXTERNAL_DOWNLOADS]: The skill connects to the external domain https://api.tavily.com to perform its search functions. This is a well-known AI technology service.\n- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface.\n
Ingestion points: Data is fetched from the public internet via the Tavily API and provided to the agent.\n
Boundary markers: None. Results are returned as raw JSON without markers or instructions to ignore potential commands within the content.\n
Capability inventory: The agent is granted Bash, Write, and Edit permissions, making it vulnerable to acting on malicious instructions found in search results.\n
Sanitization: No sanitization or validation is performed on the data retrieved from external URLs before it is processed.

tavily