The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses a bash script to search for a local executable named browse in multiple predictable paths and then executes it using the variable $LB. Execution of binaries from computed or predictable paths can be exploited if an attacker places a malicious file in one of those locations.- [REMOTE_CODE_EXECUTION]: The skill's instructions recommend that the agent or user execute a setup script (./setup) located in a hidden directory (~/.claude/skills/lazyweb-skill/browse). Running unverified scripts can lead to arbitrary code execution.- [DATA_EXFILTRATION]: The skill reads the content of ~/.lazyweb/libraries.json, which contains configuration and session data for external design libraries. Accessing files containing session information is a sensitive operation.- [EXTERNAL_DOWNLOADS]: The skill automatically downloads images from external URLs provided by the Lazyweb database using curl and saves them to the local file system.- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from web search results and database descriptions (visionDescription). It lacks explicit boundary markers or sanitization when processing this external content, which could allow maliciously crafted content to influence the agent's behavior.
Ingestion points: WebSearch results and lazyweb_search output (SKILL.md).
Boundary markers: None identified.
Capability inventory: File writing (Write), shell command execution (Bash), and agent delegation (Agent).
Sanitization: None identified.

lazyweb-design-research