The Agent Skills Directory

[COMMAND_EXECUTION]: The entry-point scripts music-search.sh and music-search.ps1 implement an unsafe argument expansion feature where any argument starting with '@' is replaced by the content of the file at that path. This allows a user or a malicious prompt to read arbitrary local files from the host system by providing them as search keywords.\n- [DATA_EXFILTRATION]: Local file contents read via the vulnerable wrapper scripts are assigned to the search query variable. This data is then reflected in the JSON output (exposing it to the agent and user) and sent as a GET parameter to external search engines (e.g., Baidu) during the crawling process, effectively exfiltrating sensitive local data to third-party logs.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it scrapes titles, descriptions, and snippets from arbitrary third-party websites. This untrusted content is returned to the agent without sanitization or boundary markers. Evidence: 1. Ingestion points: music-search.js (parsing web-search output) and deep-extract.js (fetching arbitrary URLs). 2. Boundary markers: Absent. 3. Capability inventory: Network access (fetch) and script execution (inter-skill calls). 4. Sanitization: Absent; regex is used only for link extraction.\n- [EXTERNAL_DOWNLOADS]: The skill performs network requests to non-whitelisted third-party domains, including www.baidu.com and various resource sites found during the search, to extract cloud drive links.\n- [COMMAND_EXECUTION]: The skill executes external shell scripts from the web-search skill using execFile. While the paths are currently derived from SKILLS_ROOT, this mechanism increases the overall attack surface through inter-skill command execution.

music-search