The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill processes content from untrusted external URLs provided as arguments. There are no boundary markers or sanitization processes to prevent a malicious website from including instructions (e.g., in HTML comments or hidden text) that override the agent's behavior. This could lead to the agent performing unauthorized file operations or exfiltrating data using its available tools. * Ingestion points: Target URL passed to website-screenshotter and website-extractor in assets/clone-website.md. * Boundary markers: Absent; instructions are interpolated into sub-agent prompts without delimiters. * Capability inventory: File system write access (Write), bash execution (Bash), and full browser control (mcp__playwright__*). * Sanitization: None; the agent processes raw external content and computed styles.
[Remote Code Execution] (HIGH): The website-cloner agent generates React code based on untrusted web content. The website-qa-reviewer then automatically executes npm run dev to run this code locally. This creates a direct path for a malicious website to achieve RCE on the user's machine by injecting malicious payloads into the 'cloned' component.
[Command Execution] (MEDIUM): The orchestration script in assets/clone-website.md uses shell commands (mkdir, sed) with segments of the user-provided URL. This lacks robust validation and could be exploited with specially crafted URLs to manipulate the local filesystem structure or cause unexpected shell behavior.
[External Downloads] (HIGH): The skill requires the installation of @anthropic-ai/mcp-playwright. While this is likely the official Anthropic package, the organization name anthropic-ai does not exactly match the trusted organizations list provided in the security policy (which lists anthropic and anthropics), necessitating a thorough review before use.

website-cloner