The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill recommends installing the xurl tool via 'curl -fsSL https://raw.githubusercontent.com/xdevplatform/xurl/main/install.sh | bash'. This pattern executes a remote script with full user permissions without prior verification, allowing for arbitrary code execution from the untrusted xdevplatform repository.
[COMMAND_EXECUTION]: The skill is designed around the execution of a third-party CLI tool (xurl). While necessary for its function, this grants the agent the capability to run local binaries and potentially exposes the system to vulnerabilities within that tool or its update mechanism.
[DATA_EXFILTRATION]: The skill explicitly documents the location of sensitive API credentials in ~/.xurl. Although it includes instructions forbidding the agent from reading this file, an attacker could use prompt injection to override these constraints and exfiltrate the authentication tokens.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it ingests untrusted data from the X API (posts, DMs, search results). * Ingestion points: Data enters the context via 'xurl search', 'xurl read', 'xurl timeline', 'xurl mentions', and 'xurl dms' in SKILL.md. * Boundary markers: There are no boundary markers or instructions to the LLM to ignore embedded commands within the fetched API responses. * Capability inventory: The skill possesses the capability to write/upload files ('xurl media upload'), access the network ('xurl'), and execute commands ('xurl') as documented in SKILL.md. * Sanitization: No sanitization or filtering is performed on the content of tweets or DMs before they are presented to the agent.

xurl