The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The scripts/fetch.sh file uses the npx --yes agent-fetch command, which downloads and executes a package from the npm registry at runtime without manual verification or a pinned version.
[COMMAND_EXECUTION]: The scripts/extract_pdf.sh script accepts a local file path as an argument to process PDFs. This capability could be abused if the agent is directed to read sensitive system or configuration files (such as SSH keys or environment files) under the guise of processing them as PDF content.
[DATA_EXFILTRATION]: The skill transmits user-provided URLs to external services, specifically r.jina.ai and defuddle.md, for conversion. While these are common services for this task, the content and metadata of the URLs are shared with these third-party providers.
[PROMPT_INJECTION]: The skill processes arbitrary, untrusted content from external URLs, creating a surface for indirect prompt injection attacks where malicious instructions embedded in a webpage could manipulate the agent's logic.
Ingestion points: Content is retrieved from the web via scripts/fetch.sh, scripts/fetch_weixin.py, and scripts/fetch_feishu.py.
Boundary markers: While the content is labeled with headers like 'Content:', the skill lacks explicit 'ignore embedded instructions' warnings or strong delimiters to prevent the agent from following commands found within the fetched data.
Capability inventory: The skill allows the agent to write files to ~/Downloads/ and execute local scripts that perform network and file operations.
Sanitization: There is no evidence of filtering or sanitizing the fetched content to remove potential AI-targeting instructions before presenting it to the agent.
[EXTERNAL_DOWNLOADS]: The README.md and documentation encourage the installation of multiple external dependencies and browsers via pip, brew, and playwright, which introduces third-party code into the environment.

qiaomu-markdown-proxy