The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's instructions provide examples of executing shell commands where user-supplied URLs are directly interpolated into the command line (e.g., firecrawl scrape "[URL]"). This pattern is highly susceptible to command injection attacks if the agent does not strictly sanitize the input, potentially allowing an attacker to execute arbitrary system commands by providing a crafted URL string containing shell metacharacters (e.g., using semicolons or backticks).
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from external websites to generate a DESIGN.md file. This file is explicitly intended to serve as a 'source of truth' and 'instructions' for downstream AI coding agents. An attacker who controls a website being scraped could embed malicious instructions that, when synthesized into the design system, influence or hijack the behavior of the subsequent agent that processes the file.
Ingestion points: External website content, branding data, and metadata retrieved via the firecrawl tool.
Boundary markers: No specific delimiters or 'ignore' instructions are used to separate scraped content from the agent's synthesis logic.
Capability inventory: The skill uses shell execution (firecrawl CLI) and file system writes (creating DESIGN.md and storing assets in .firecrawl/).
Sanitization: There is no evidence of sanitization, escaping, or validation of the scraped content before it is included in the markdown output.
[EXTERNAL_DOWNLOADS]: The skill includes logic to download remote image assets (such as signed storage links) discovered during the scrape to the local .firecrawl/ directory. This results in the agent making network requests to arbitrary third-party URLs found within scraped data.

firecrawl-website-design-clone