The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/search_region.sh is vulnerable to Python code injection. It uses shell variable interpolation to embed the --name argument directly into a Python command string: python3 -c "... search = '$SEARCH'.lower() ...". Because the $SEARCH variable is not sanitized, a crafted input containing single quotes and Python commands (e.g., using __import__('os').system()) can execute arbitrary code on the host system.
[DATA_EXFILTRATION]: The skill accesses and processes a Yandex Cloud Service Account key file (service_account_key.json), which is a sensitive credential. In scripts/iam_token_get.sh, the private key is extracted from the JSON configuration and written to a temporary file in plaintext to facilitate signing with OpenSSL. Although the script attempts to secure this file using umask 077 and restricted temporary directories, the temporary storage of plaintext private keys increases the risk of credential exposure.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8).
Ingestion points: Search result titles and snippets are retrieved from the Yandex Search API and parsed into JSON format via scripts/common.sh (parse_search_xml). These results are then presented to the agent in scripts/web_search_sync.sh and scripts/web_search_async.sh.
Boundary markers: The skill does not employ delimiters or specific instructions to the agent to treat the search result content as untrusted or to ignore any instructions embedded within the results.
Capability inventory: The skill allows for the execution of shell commands (curl, openssl, python3) and performs network requests to external API endpoints.
Sanitization: While the skill strips XML/HTML tags from search results, it does not perform any content-based sanitization to filter out potential malicious instructions that could influence the agent's behavior.

yandex-search-api