The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill creates a significant attack surface by combining the ability to fetch untrusted content from the web with tools capable of system-level modification.
Ingestion points: The skill utilizes WebFetch and WebSearch to retrieve data from external, untrusted sources.
Boundary markers: Absent. There are no instructions or delimiters defined in SKILL.md to isolate retrieved web data from the agent's core logic.
Capability inventory: The skill is granted Bash, Write, and Edit tools, allowing for arbitrary command execution and file system modification.
Sanitization: No sanitization or validation logic is prescribed for data retrieved via web tools, enabling an attacker to embed instructions in a web page that the agent might follow.
[Command Execution] (HIGH): The skill explicitly allows the Bash tool. While the provided examples involve standard tools like wrangler, an attacker could leverage this capability to execute arbitrary shell commands if they successfully compromise the agent via prompt injection.
[External Downloads] (MEDIUM): The skill encourages the execution of remote code through the npx utility (e.g., npx wrangler, npx shadcn-ui). While these are legitimate tools, executing them via an agent that processes external content introduces a risk of runtime execution of untrusted scripts.
[Metadata/Deception] (MEDIUM): Automated scanners flagged the pattern request.url.in as potentially malicious. While this appears to be a substring of standard JavaScript logic (request.url.includes), the presence of the .in TLD within this context triggered a blacklist alert, suggesting potential for domain-based obfuscation or malicious redirection logic if the agent interpolates URLs incorrectly.

frontend-architect