The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill provides instructions and examples for creating an indirect prompt injection surface. It demonstrates fetching untrusted data from external URLs (using useFetch) and the clipboard (using Clipboard.read), then passing that data to AI models via AI.ask or useAI without sanitization or boundary markers. (Found in: references/ai-api.md, examples/ai-integration.tsx, references/hooks-utilities.md).\n
Ingestion points: useFetch (external APIs), Clipboard.read (user clipboard), getSelectedFinderItems (local files selected by user).\n
Boundary markers: Absent in all AI-related code examples; untrusted data is directly interpolated into prompts.\n
Capability inventory: runAppleScript (system command execution), open (arbitrary URLs and local files), Clipboard.copy/paste (data manipulation), LocalStorage.setItem (persistence).\n
Sanitization: Absent; no mention of escaping or filtering content before AI processing.\n- [COMMAND_EXECUTION] (MEDIUM): The documentation promotes the use of runAppleScript to execute arbitrary AppleScript or JavaScript for Automation code on the host system. (Found in: references/hooks-utilities.md). While a core feature of the platform, this capability allows an attacker to execute system-level commands if they can influence the input to these scripts via the documented AI integration patterns.\n- [EXTERNAL_DOWNLOADS] (LOW): The skill instructs users to install external dependencies and fetch remote data at runtime. (Found in: SKILL.md, references/package-structure.md).\n
Evidence: npm install, useFetch('https://api.example.com/items').\n
Trust Scope: The referenced packages (@raycast/api, @raycast/utils) are standard platform libraries, which downgrades the download risk itself to LOW/INFO per [TRUST-SCOPE-RULE], though the skill's own code behavior remains HIGH.

raycast-extensions