The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The installation instructions advocate for downloading a shell script from a remote URL and piping it directly to a shell interpreter (sh). This practice allows for arbitrary code execution on the host machine without any opportunity for the user to verify the script's contents first.
[COMMAND_EXECUTION]: The skill provides commands to modify shell initialization files (e.g., ~/.bashrc) to establish persistence and includes 'passthrough' features for high-privilege CLI tools like GitHub (gh), Docker, and Kubernetes (kubectl), allowing the agent to perform administrative tasks with existing local credentials.
[DATA_EXFILTRATION]: By utilizing a Chrome extension to reuse active browser sessions, the skill can access private accounts and data on platforms like Twitter and Reddit without additional authentication. It also possesses commands to read private content from local applications such as Discord and Notion.
[EXTERNAL_DOWNLOADS]: The skill directs users to download and execute pre-compiled binaries from external GitHub releases, which lack transparency and could contain malicious functionality that is not present in the source code.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from multiple external websites and has the capability to immediately act on that data via messaging apps or system commands. 1. Ingestion points: Scraping commands for Twitter, Reddit, and HackerNews. 2. Boundary markers: None present to differentiate between instructions and scraped content. 3. Capability inventory: Desktop application control, shell profile modification, and administrative CLI passthrough. 4. Sanitization: No evidence of data sanitization or validation of the fetched content before processing.

opencli-rs-web-scraper