The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill is vulnerable to code injection. In scripts/render_instagram_replica.py, untrusted metadata and comments fetched from Instagram are serialized to JSON and injected directly into a <script> tag in templates/instagram_replica.html using a simple string replacement: html = template.replace("__REPLICA_JSON__", json.dumps(payload)). Because json.dumps does not escape the sequence </script>, an attacker could craft an Instagram comment containing this tag to break out of the JSON literal and execute arbitrary JavaScript. This script would run within the Playwright browser session used for recording the local replica, potentially allowing access to local files via the file:// origin.
[COMMAND_EXECUTION]: The skill uses subprocess.run across several scripts (fetch_instagram_snapshot.py, render_instagram_replica.py, probe_instagram_replica.py) to invoke tools such as yt-dlp, ffmpeg, and ffprobe. These calls consistently use argument lists rather than shell strings, which is a secure practice that effectively mitigates command injection risks.
[EXTERNAL_DOWNLOADS]: The skill fetches public metadata and media files from Instagram. These network operations are aligned with the skill's primary purpose and target a well-known service (Instagram).
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through data ingested from Instagram. * Ingestion points: Public captions and comments are fetched from Instagram URLs in fetch_instagram_snapshot.py. * Boundary markers: Data is isolated within a snapshot.json file before processing. * Capability inventory: The skill possesses significant capabilities, including system command execution (ffmpeg, yt-dlp), file system writes, and browser automation (Playwright). * Sanitization: While the JavaScript in the replica template uses escapeHtml for DOM insertion, the initial injection of the JSON payload into the script block is unsafe, creating an execution vector for malicious data.

instagram-replicate