The Agent Skills Directory

Command Execution (HIGH): The skill interpolates the user-provided ARTICLE_URL directly into shell commands such as reader "$ARTICLE_URL", trafilatura --URL "$ARTICLE_URL", and curl -s "$ARTICLE_URL". Even with double quotes, shell command substitution (e.g., using backticks or $(...)) within the URL can lead to arbitrary code execution if the input is not strictly validated.
External Downloads (MEDIUM): The installation logic encourages the agent to run npm install -g and pip3 install for dependencies. This modifies the global environment and introduces risks associated with third-party package managers and potential supply chain attacks if the environment is shared or sensitive.
Dynamic Execution (MEDIUM): The fallback method uses python3 -c to execute multi-line Python scripts generated at runtime. While the script itself is hardcoded in the skill, the pattern of executing arbitrary code via CLI flags is a known risk factor.
Indirect Prompt Injection (LOW): This skill is highly susceptible to indirect prompt injection because it ingests untrusted data from external URLs.
Ingestion points: Data is fetched via curl, reader, or trafilatura from an external ARTICLE_URL (SKILL.md).
Boundary markers: None. Extracted content is saved directly to a file and then previewed in the agent's context without delimiters or instructions to ignore embedded commands.
Capability inventory: The skill has access to Bash and Write tools, allowing for file system modification and further command execution.
Sanitization: No sanitization is performed on the extracted article content before it is displayed as a preview to the agent.

article-extractor