The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill instructs the agent to use browser-use to "extract computed styles (colors, fonts, logos) via JS eval" on external websites provided by the user. Executing arbitrary JavaScript on untrusted third-party domains is a high-risk operation that could be exploited if the target site contains malicious payloads designed to target scrapers or automation tools.
[COMMAND_EXECUTION]: Upon completion of the microsite, the skill triggers a command to "Open the microsite in the default browser." This executes a local system command on a file containing generated and potentially untrusted content, which may pose a risk if the generated HTML has been compromised via indirect injection.
[PROMPT_INJECTION]: The skill exhibits an Indirect Prompt Injection surface (Category 8).
Ingestion points: Untrusted data enters the context through user-provided URLs for brand extraction and through various research tools like search_resources and list_findings which pull from external or uploaded content.
Boundary markers: The instructions lack specific requirements for delimiters or "ignore instructions" wrappers when interpolating researched content into the HTML structure.
Capability inventory: The skill has capabilities to write to the local file system (.octave-microsites/), access the network via WebFetch, and execute code via JS eval and browser automation.
Sanitization: There are no explicit instructions to sanitize or escape data before it is placed into HTML <script> blocks or CSS styles, potentially allowing an attacker to inject malicious scripts into the final landing page.
[DATA_EXFILTRATION]: The skill processes PII and sensitive company data (e.g., enrich_person with emails, list_findings with conversation intel). Because the agent is instructed to interact with external websites (via browser-use) while this context is active, there is a risk of unintentional data exposure if the automation tool is manipulated by the target site.

microsite