The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its primary function is to ingest and process untrusted external data from the web.
Ingestion points: External URLs fetched via requests.get or Selenium in generated scrapers, and target URLs passed to scripts/new_scraper.py.
Boundary markers: Absent. The skill instructions do not provide the agent with explicit delimiters or instructions to ignore potential commands embedded within scraped HTML or documents.
Capability inventory: The skill facilitates network requests (requests), local file writing (save_csv), and the creation of executable files (chmod in new_scraper.py).
Sanitization: While data is cleaned for extraction (e.g., stripping HTML tags), there is no sanitization to prevent the agent from following malicious instructions contained within the scraped content.
[COMMAND_EXECUTION]: The scaffolding utility scripts/new_scraper.py performs a privilege modification.
Evidence: It uses output_path.chmod(0o755) to make dynamically generated Python scripts executable on the local filesystem.
[REMOTE_CODE_EXECUTION]: The skill teaches and provides examples for executing code in external environments.
Evidence: Instructions in SKILL.md and references/api_reference.md (Chapter 11) describe using driver.execute_script() in Selenium to run arbitrary JavaScript within a browser context.
[EXTERNAL_DOWNLOADS]: The skill relies on and suggests the installation of several external third-party libraries.
Evidence: scripts/new_scraper.py and various documentation files recommend installing requests, beautifulsoup4, scrapy, and selenium. These are well-known libraries from trusted ecosystems, but they constitute external dependencies.

web-scraping-python