The Agent Skills Directory

[COMMAND_EXECUTION]: The skill contains a significant command injection vulnerability in Phase 4. The variable {token_name} is directly interpolated into a shell command for Google Chrome or md-to-pdf. Since {token_name} can be derived from untrusted WebSearch results or direct user input without sanitization, an attacker could craft a name containing shell metacharacters (e.g., ; rm -rf / ;) to execute arbitrary commands on the system.
[REMOTE_CODE_EXECUTION]: In Phase 4, the skill includes a fallback command npx -y md-to-pdf. This pattern downloads and executes the md-to-pdf package from the public NPM registry at runtime. This introduces a risk of executing untrusted or malicious code if the package is compromised or if a typosquatted version is retrieved.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8). It fetches content from external news sources and project websites which are then processed by sub-agents to generate a summary. Maliciously crafted content on these external sites could influence the agent's behavior or the variables passed to the shell commands.
Ingestion points: Agent 2 (News) and Agent 5 (Project Website) use WebSearch and WebFetch to gather external data.
Boundary markers: None. The instructions do not include delimiters or warnings to ignore embedded instructions in the fetched data.
Capability inventory: The skill has the capability to write local files (HTML) and execute system commands (Phase 4).
Sanitization: There is no evidence of sanitization or escaping of the content retrieved from external sources before it is used in the prompt or shell commands.

analyze-crypto