The Agent Skills Directory

[DATA_EXFILTRATION] (MEDIUM): Server-Side Request Forgery (SSRF) via Browser Rendering. The BrowserAgent class in templates/browser-agent.ts accepts arbitrary URLs via the /scrape, /screenshot, and /batch-scrape endpoints. These URLs are passed directly to page.goto() without validation. This allows an attacker to probe internal network services, access environment-specific metadata, or perform local port scanning from the agent's execution context.
[PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface. Multiple templates are vulnerable to indirect injection. In templates/rag-agent.ts, the chat method retrieves untrusted document content from Vectorize and interpolates it directly into a system prompt. In templates/browser-agent.ts, the extractDataWithAI method retrieves innerHTML from a user-provided URL and sends it to OpenAI with instructions to extract data. An attacker could embed malicious instructions in the HTML (e.g., hidden text or comments) to hijack the agent's behavior.
Evidence Chain (Category 8): Ingestion points: POST /ingest (rag-agent.ts) and page.goto (browser-agent.ts). Boundary markers: Absent; content is concatenated using simple newlines or template literals. Capability inventory: Agents possess external network access (OpenAI/Anthropic APIs) and state persistence. Sanitization: None observed.
[EXTERNAL_DOWNLOADS] (LOW): The skill utilizes external dependencies and APIs including OpenAI, Anthropic, and Puppeteer. While the organizations are trusted, the lack of input validation on the targets for these tools introduces risk.
[SAFE] (SAFE): Automated scanner alert for 'this.ca' is identified as a false positive. The pattern appears as a substring of internal TypeScript method calls such as 'this.calculateApprovalRate()' and 'this.cancelSchedule()', not as a literal malicious URL.

cloudflare-agents