The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/fetch.py executes the opencli command via subprocess.run to handle specific platforms (Zhihu, Reddit, Twitter, Weibo).
Evidence: In scripts/fetch.py, the fetch_via_opencli function uses subprocess.run(cmd, ...) where cmd includes arguments derived from user-provided URLs.
Vulnerability: Specifically, the Reddit route uses m.string (the entire input URL) as a command argument: (r"reddit\.com/r/\w+/comments/", lambda m: ["reddit", "read", m.string]). An attacker could provide a URL containing CLI flags or specially crafted strings to influence the behavior of the opencli tool.
[EXTERNAL_DOWNLOADS]: The documentation (README.md and SKILL.md) instructs users to install a third-party package and a browser extension from a non-standard source.
Evidence: Users are directed to install @jackwener/opencli via npm and manually load a opencli-extension.zip browser extension from GitHub Releases. This manual installation bypasses the security protections of official extension stores.
[DATA_EXFILTRATION]: The skill transmits user-provided URLs to multiple third-party proxy services to convert content to markdown.
Evidence: URLs are sent to r.jina.ai, defuddle.md, and markdown.new as part of the fallback chain. This exposes the user's browsing/fetching intent and the specific URLs to these service providers.
[PROMPT_INJECTION]: The skill acts as a conduit for untrusted data, making it a primary surface for indirect prompt injection.
Ingestion points: scripts/fetch.py retrieves content from arbitrary external URLs.
Boundary markers: Absent. The fetched content is printed directly to stdout without delimiters or instructions for the agent to treat it as untrusted data.
Capability inventory: The skill utilizes network access (urllib.request) and shell command execution (subprocess.run).
Sanitization: Absent. The script does not sanitize, filter, or escape the fetched web content before providing it to the agent.

web-fetcher