The Agent Skills Directory

[DATA_EXFILTRATION] (MEDIUM): In scripts/fetch_web_content.py, the output_file parameter is taken directly from command-line arguments and used in a open(output_file, 'w') call without sanitization.
Evidence: Line 106-112 in scripts/fetch_web_content.py takes sys.argv[2] and opens it for writing.
Risk: An attacker could provide a path like ../../.bashrc to overwrite sensitive system files if the agent executes the command as instructed.
[EXTERNAL_DOWNLOADS] (MEDIUM): The SKILL.md file defines a core workflow for converting Markdown to PDF using scripts/md_to_pdf.py, but this file is missing from the skill package.
Evidence: SKILL.md references python scripts/md_to_pdf.py <markdown_file> throughout the 'Usage' and 'Response Pattern' sections.
Risk: The agent may attempt to download or generate this script from an untrusted source, or fail in a way that reveals system information.
[PROMPT_INJECTION] (LOW): The skill is a direct vector for Indirect Prompt Injection (Category 8). It fetches arbitrary web content and processes it for the user.
Ingestion points: scripts/fetch_web_content.py and scripts/fetch_weixin.py ingest content from any URL.
Boundary markers: None. The content is written directly to markdown files.
Capability inventory: File writing, network access (via crawler), and browser automation (Playwright).
Sanitization: Uses standard libraries like crawl4ai and markdownify to strip HTML, but does not sanitize the resulting text for malicious instructions.
[COMMAND_EXECUTION] (LOW): The skill instructions require the agent to execute shell commands with user-supplied URLs. While this is the intended functionality, it requires the agent to be cautious of malformed URLs that might attempt shell metacharacter injection.

web-fetch