The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) due to its core design of fetching and synthesizing external web data.
Ingestion points: External data enters the agent context during Phase 3, where it is fetched from arbitrary URLs using tools like mcp_webfetch and curl (referenced in tool_strategy.md).
Boundary markers: Boundary markers are absent. The SYNTHESIS_PROMPT and verification prompt in pipelines.py interpolate external findings and claims directly into the instructions without delimiters or warnings to ignore embedded content.
Capability inventory: Across its scripts, the skill utilizes subprocess calls (via shell for curl), file-writing (Write), file-reading (Read), and background task execution (Task).
Sanitization: No evidence of sanitization, escaping, or validation of the external content was found before it is interpolated into prompts.
[COMMAND_EXECUTION]: The skill utilizes shell commands (specifically curl and Python scripts like orchestrator.py) to manage research sessions and fetch content. The tool_strategy.md file provides templates for using curl with spoofed User-Agents and other headers to bypass access controls on third-party websites. While intended for legitimate research functionality, these shell-based capabilities represent an execution surface that could be targeted by malicious inputs.

deep-research-main