The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes the 'uv run' command to execute Python code snippets generated at runtime for creating XLSX reports. This pattern involves interpolating data fetched from external shop websites into a Python script executed via the command line. Without rigorous sanitization of this external data, a malicious website could potentially inject arbitrary Python code that would be executed by the agent during the export process.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted data from multiple external sources. Ingestion points: External shop data and product information enter through WebSearch, WebFetch, and scrapling tool calls as described in SKILL.md. Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore potentially malicious content embedded within the fetched data. Capability inventory: The skill has access to shell and Python execution via 'uv run' and file writing via the 'Write' tool. Sanitization: No specific sanitization or escaping logic is described for handling external content before it is used in the command-line execution or report generation.
[EXTERNAL_DOWNLOADS]: The skill recommends installing the 'scrapling' tool and using 'openpyxl' via the 'uv' package manager. While these are legitimate and well-known technology libraries, the skill's reliance on downloading and installing external software is a documented behavior. These references to well-known technological sources are documented neutrally and do not escalate the verdict.

res-price-compare