The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/fetch_threads.py contains a command injection vulnerability in the _run_agent_browser method. It uses subprocess.run(shell=True) to execute the agent-browser CLI tool, where user-supplied URLs are inserted into the command string using f-strings (e.g., f'open "{url}"') without proper sanitization or escaping. This allows an attacker to execute arbitrary shell commands by providing a crafted URL containing shell metacharacters like ; or &.
[EXTERNAL_DOWNLOADS]: The skill is designed to navigate to and download content from threads.net and threads.com. While these are well-known services, the insecure method of invoking the browser automation tool exposes the system to exploitation during the fetching process.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted text from the internet and passes it to subsequent agents for content transformation. \n
Ingestion points: scripts/fetch_threads.py (lines 148-185) extracts text and media URLs from Threads web pages. \n
Boundary markers: Absent; there are no delimiters or instructions provided to the Content Agent to ignore potentially malicious instructions embedded in the extracted content. \n
Capability inventory: The skill possesses the ability to execute shell commands (via subprocess) and write files to the local file system. \n
Sanitization: None; the extracted web content is processed by the agents without any filtering or validation.

threads-blog-post