The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it processes untrusted Markdown content from external URLs.\n
Ingestion points: Remote Markdown content is fetched via curl as described in SKILL.md.\n
Boundary markers: The skill lacks explicit instructions to treat the fetched content as data only or to use boundary markers to prevent the agent from executing instructions found within the text.\n
Capability inventory: The skill utilizes shell execution capabilities (curl) to interact with the web.\n
Sanitization: No sanitization or filtering of the fetched Markdown content is implemented before it is returned to the agent context.\n- [COMMAND_EXECUTION]: The skill performs dynamic command construction to execute curl on the host system.\n
Evidence: In SKILL.md, the curl command is built using segments derived from user-provided URLs. While there are natural language instructions to validate these segments as alphanumeric, the reliance on dynamic string concatenation for shell commands introduces a surface for command injection if validation is bypassed.\n- [EXTERNAL_DOWNLOADS]: The skill performs network requests to retrieve data from external domains (qr61.cn, qr71.cn, qr69.cn, h.qr61.cn). These domains are identified as vendor-controlled resources used for the skill's core functionality.

caoliao-qrcode-markdown-content