The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to fetch and process untrusted content from arbitrary URLs, which is then returned to the agent as Markdown. This is a classic surface for indirect prompt injection where malicious instructions embedded in web pages can hijack the agent's logic. Ingestion points: Web content from URLs across all four tiers. Boundary markers: None specified in the SKILL.md. Capability inventory: Access to Bash shell, Browser automation (Playwright), and third-party MCP tools. Sanitization: No filtering or sanitization of the fetched content is described.\n- Command Execution (HIGH): Tier 2 fallback uses the Bash curl command. If the URL provided by the user is not strictly validated or escaped before being passed to the shell, it creates a high risk for command injection via shell metacharacters (e.g., ;, &, |).\n- Data Exfiltration (LOW): The scraping capabilities, particularly when using residential proxies (Tier 4), can be leveraged for Server-Side Request Forgery (SSRF). This could allow an attacker to probe internal network services or access sensitive cloud provider metadata endpoints (e.g., 169.254.169.254) from within the agent's execution environment.

BrightData