The Agent Skills Directory

[DATA_EXFILTRATION]: The Python script scripts/crawl_site.py uses urllib.request to fetch data from domains provided by the user. The script does not implement a whitelist or validate the target IP/URL, which enables Server-Side Request Forgery (SSRF) against internal network resources or cloud metadata services.
[COMMAND_EXECUTION]: The SKILL.md instructions recommend using bash_tool with curl for crawling. Passing unsanitized user-provided domains to a shell command creates a high risk of command injection if the agent does not properly escape the input.
[PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it ingests and processes untrusted data from external websites. Ingestion points: Website HTML and text extracted via scripts/crawl_site.py. Boundary markers: No delimiters or safety instructions are used to distinguish external content from agent instructions. Capability inventory: The agent can execute shell commands via bash_tool and write files to /mnt/user-data/outputs/. Sanitization: No filtering or escaping is applied to the crawled content before it enters the model's context.

adsense-audit