The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection attacks because it ingests and analyzes untrusted data from third-party websites.
Ingestion points: The scripts/fetch-rendered-dom.mjs script fetches rendered HTML, console logs, and network request metadata from arbitrary URLs provided by the user.
Boundary markers: The instructions do not specify the use of boundary markers or instructions to the analyzer agent to ignore potential commands embedded in the processed web content.
Capability inventory: Across its scripts, the skill can execute shell commands (execSync, bash), perform network operations (curl, playwright), and write files to the system.
Sanitization: There is no evidence of sanitization, filtering, or escaping of the external website content before it is passed to the agent for analysis.
[COMMAND_EXECUTION]: The skill performs automated environment setup and dependency installation.
Phase 0 in SKILL.md executes shell commands to check for and install Node.js via Homebrew or by extracting a downloaded binary to /usr/local without user confirmation.
scripts/fetch-rendered-dom.mjs uses child_process.execSync to install the playwright NPM package and the Chromium browser to a local cache directory.
[EXTERNAL_DOWNLOADS]: The skill fetches software binaries and web assets from remote sources.
Fetches Node.js distribution archives from the official nodejs.org domain.
Downloads browser components and the playwright package from well-known registries.
Downloads website source code, shaders, and resources from target URLs during the extraction process.
[DATA_EXFILTRATION]: The skill communicates with external domains.
Uses curl and Playwright to fetch content from user-provided URLs.
References various Firestore and Cloud Functions endpoints related to the Unicorn Studio and Shaders.com platforms for asset retrieval.

web-shader-extractor