The Agent Skills Directory

Command Execution (HIGH): The instruction in SKILL.md directs the agent to execute a shell command: node .claude/skills/find-test-content/scripts/find-block-content.js <block-name> [host]. Since there are no sanitization requirements provided to the agent, a malicious user could provide a block-name containing shell metacharacters (e.g., hero; rm -rf /) to achieve arbitrary command execution in the environment where the agent operates.
Data Exfiltration (MEDIUM): The scripts/find-block-content.js file uses the fetch API to retrieve data from a user-provided host parameter. The script performs no validation or whitelisting of the target host, enabling Server-Side Request Forgery (SSRF). An attacker could use this to scan the local network or access internal services and cloud metadata endpoints (e.g., 169.254.169.254) accessible from the agent's host.
Indirect Prompt Injection (MEDIUM): This category flags the vulnerability surface for external data ingestion.
Ingestion points: scripts/find-block-content.js fetches query-index.json and multiple HTML pages from the remote host provided as a parameter.
Boundary markers: None. The content is processed directly by the DOM parser without delimiters or instructions to ignore embedded commands.
Capability inventory: The script performs network requests (fetch) and DOM parsing (jsdom). While jsdom is not configured to execute scripts, the resulting data is returned to the agent's context.
Sanitization: There is no sanitization or filtering of the content retrieved from the remote pages, which could allow an attacker controlling a target site to influence the agent's reasoning process.

find-test-content