The Agent Skills Directory

[COMMAND_EXECUTION]: The workflow command (implemented in src/commands/workflow.js) executes scripts via a package manager (pnpm, npm, or yarn) in a user-specified directory. Specifically, it runs typecheck, build, and push commands, which executes any code defined in the package.json of the target project.
[DATA_EXFILTRATION]: The fetchPage function in src/lib/fetch-page.js supports the file:// protocol. This allows the tool to read local files from the host filesystem and include their contents in the generated JSON and HTML artifacts. This capability could be exploited to extract sensitive local data (e.g., configuration files, SSH keys, or environment variables) if an agent is directed to a local path.
[EXTERNAL_DOWNLOADS]: The shell script scripts/run-webcrawler.sh triggers npm install within the skill directory to manage dependencies. While standard for Node.js projects, running package managers on skill code can lead to the execution of arbitrary lifecycle scripts.
[COMMAND_EXECUTION]: The src/lib/run-command.js utility uses child_process.spawn to run external commands. While it avoids shell interpolation by setting shell: false, it still executes binaries and arguments provided via the command-line interface based on agent/user input.
[PROMPT_INJECTION]: The skill presents an indirect prompt injection surface (Category 8) by processing untrusted data from external websites.
Ingestion points: src/lib/fetch-page.js fetches content from arbitrary URLs.
Boundary markers: Absent; fetched content is parsed and rendered into artifacts without explicit instructions for the agent to ignore embedded commands.
Capability inventory: Spawns subprocesses via run-command.js, reads/writes to the filesystem via fs.js, and performs network requests via fetch-page.js.
Sanitization: Employs escapeHtml for visual previews to prevent cross-site scripting (XSS).

webcrawler