The Agent Skills Directory

[COMMAND_EXECUTION]: The extract_keywords function in scripts/bsky.py is vulnerable to code injection. It constructs a Python script as a string, interpolating the stopwords parameter directly into the code before executing it via subprocess.run([venv_python, "-c", extraction_script], ...). An attacker who can influence the stopwords argument (e.g., via indirect prompt injection or social engineering) could execute arbitrary Python code in the environment.
[REMOTE_CODE_EXECUTION]: Due to the code injection vulnerability in extract_keywords, the skill allows for arbitrary execution of Python code. This is particularly critical as the agent may be induced to call this function with parameters influenced by untrusted external data (such as a Bluesky user bio or post content).
[PROMPT_INJECTION]: The skill exhibits a significant attack surface for indirect prompt injection by fetching and processing large amounts of untrusted data from the Bluesky API and firehose.
Ingestion points: Data is ingested from api.bsky.app and wss://jetstream1.us-east.bsky.network via scripts/bsky.py and scripts/zeitgeist-sample.js.
Boundary markers: No delimiters or boundary markers are used to separate untrusted content from agent instructions.
Capability inventory: The skill has access to shell command execution (subprocess.run), network operations (requests, ws), and file system writes (temporary files).
Sanitization: Ingested content (post text, descriptions) is concatenated and processed without sanitization or validation before being used in keywords extraction or returned to the agent context.

browsing-bluesky