The Agent Skills Directory

[COMMAND_EXECUTION]: Unsafe path construction in scripts/delete.py allows for arbitrary file deletion. The script uses clips_dir / filename to construct a path; if an absolute path is provided as the filename argument, it overrides the base directory, allowing any file to be unlinked.
[COMMAND_EXECUTION]: Multiple scripts including clip.py, list.py, search.py, and ingest.py allow the base clips directory to be overridden via command-line arguments without validation. This permits the agent to read from, write to, or delete files in sensitive locations outside the intended ~/web-clips folder.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It ingests content from external websites which is then stored as local markdown files. These files could contain malicious instructions that an agent might follow when reading or searching the clipped content. (Ingestion point: scripts/clip.py, Boundary markers: YAML delimiters present but no warnings, Capability inventory: File operations and subprocess execution via ingest.py, Sanitization: None for embedded instructions).
[EXTERNAL_DOWNLOADS]: The skill performs network requests to arbitrary external URLs and a local FlareSolverr service (http://localhost:8191/v1) to fetch web content for clipping.

web-clipper