The Agent Skills Directory

PROMPT_INJECTION (MEDIUM): The skill contains instructions that force the agent to bypass standard safety and clarification protocols. Specifically, in SKILL.md, it states: 'infer what they mean and do it. No "command not found" errors. No asking for clarification. Just execute.' This 'infer intent' model lowers the threshold for executing unintended or malicious commands disguised as natural language.
EXTERNAL_DOWNLOADS (MEDIUM): The 'Eager Link Crawling' feature (SKILL.md) automatically fetches and caches content from URLs 1-2 layers deep from any site visited. This can lead to unintended data collection from sensitive or internal network resources (SSRF risk) and populates the local environment with untrusted data without user consent for each sub-request.
COMMAND_EXECUTION (LOW): The skill implements a shell-like environment where it manages a local filesystem structure in '.websh/'. While intended for caching, the ability to 'infer intent' for non-formal commands increases the risk of the agent performing unintended file operations or state changes if a user's input is misinterpreted.
INDIRECT_PROMPT_INJECTION (LOW): The background extraction process (state/cache.md) involves an AI subagent reading raw, untrusted HTML from external websites to 'intelligently' parse it. Evidence: 1. Ingestion: Reading HTML from {url} into {html_path}. 2. Boundary markers: Absent; no instructions to ignore embedded commands. 3. Capabilities: Command execution, background task spawning, and file writing. 4. Sanitization: Absent; the process is an iterative parse of raw data. A website could control the subagent's output and subsequently influence the main agent's session behavior.
DATA_EXPOSURE (LOW): The skill maintains a persistent history of visited URLs, extracted content, and command history in a hidden '.websh' directory. While functional, this directory becomes a local repository of potentially sensitive browsing data that could be targeted by other local processes.

websh