The Agent Skills Directory

[COMMAND_EXECUTION]: The skill implements a watch --exec <cmd> feature which allows for arbitrary command execution triggered by changes in external web content.\n- [COMMAND_EXECUTION]: Inclusion of cron and at commands enables the scheduling of recurring or delayed command execution, which can be used for persistence or malicious background tasks.\n- [COMMAND_EXECUTION]: The skill explicitly instructs the agent to 'infer intent and do it' and to 'never block' or ask for clarification, bypassing standard safety checks for ambiguous or potentially dangerous commands.\n- [REMOTE_CODE_EXECUTION]: Commands like xargs and parallel are implemented to build and execute command strings from input streams, which can be manipulated if the input comes from untrusted web sources.\n- [PROMPT_INJECTION]: The activation instructions in SKILL.md and shell.md command the agent to disregard the need for clarification ('No asking for clarification. Just execute'), which acts as a meta-instruction overriding default safety behavior.\n- [PROMPT_INJECTION]: The skill fetches untrusted HTML content and processes it via a subagent (Haiku) to create 'rich' markdown. There are no boundary markers or instructions to ignore embedded commands within the fetched data, making the system vulnerable to instructions hidden in web pages. Ingestion points: WebFetch calls in shell.md and state/cache.md. Boundary markers: Absent. Capability inventory: WebFetch, Write, Bash, and Task (background execution). Sanitization: Absent.\n- [CREDENTIALS_UNSAFE]: The skill provides mechanisms to handle and store sensitive credentials, including a login command that captures user credentials and export commands for session cookies and authorization headers, which are stored in local session files.\n- [DATA_EXFILTRATION]: The skill's ability to fetch data from any URL and save it locally (save command) or process it via background tasks provides a path for exfiltrating sensitive local data if combined with malicious prompt instructions.\n- [EXTERNAL_DOWNLOADS]: The skill is designed to fetch content from any user-provided URL, including an example redirect to a blacklisted URL (https://short.link/abc) found in the documentation.

websh