The Agent Skills Directory

[PROMPT_INJECTION]: The skill's primary purpose is to ingest data from external, untrusted sources such as websites and APIs. This creates a surface for indirect prompt injection, where an attacker could place malicious instructions on a webpage that the agent then reads and follows. 1. Ingestion points: Untrusted data enters the context through 'WebFetch' and 'WebSearch' tools, as shown in the 'scrape_website' and 'call_api' examples in SKILL.md. 2. Boundary markers: No delimiters or protective instructions are used to distinguish between system instructions and fetched content. 3. Capability inventory: The skill is authorized to use 'Bash' for command execution and 'Write'/'Edit' for file system operations. 4. Sanitization: No sanitization or validation of the external content is performed before processing.
[COMMAND_EXECUTION]: The skill is granted access to the 'Bash' tool to perform automation tasks. While typical for scraping workflows, this capability allows for arbitrary command execution which can be dangerous if the agent's logic is subverted by malicious data from the web.

web-scraping-automation