The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is vulnerable to shell command injection in Phase 0. The instructions use a bash snippet to process the user-provided $PAGE_URL variable inside a python3 -c command. Because the variable is interpolated directly into the shell command string, an attacker providing a URL containing shell metacharacters (e.g., backticks or $(...)) could execute arbitrary commands on the host system.
[DATA_EXFILTRATION]: The skill accesses local files in the user's home directory ($HOME/.toprank/business-context/) based on the domain extracted from the input URL. This represents a data exposure risk where the agent is instructed to read and display the contents of potentially sensitive business configuration files.
[PROMPT_INJECTION]: The skill exhibits a significant indirect prompt injection surface (Category 8). It fetches and processes untrusted HTML content from both the target URL and competitor websites using WebFetch.
Ingestion points: SKILL.md Phase 1a (Target URL) and Phase 5 (Competitor URLs).
Boundary markers: No delimiters or safety instructions are used to distinguish external content from the agent's internal logic.
Capability inventory: The skill has access to shell execution via python3 and script execution (analyze_gsc.py), as well as file read capabilities (cat).
Sanitization: No sanitization or filtering is performed on the fetched content before it is analyzed by the model.

seo-page