The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill explicitly instructs users to use a highly insecure installation pattern: curl -fsSL https://raw.githubusercontent.com/xdevplatform/xurl/main/install.sh | bash. This executes a remote shell script with no integrity verification, allowing the owner of the repository to execute arbitrary code on the user's system.
[EXTERNAL_DOWNLOADS]: The skill downloads and installs software from an untrusted GitHub organization (xdevplatform) and a third-party npm package (@xdevplatform/xurl). These sources are not included in the trusted vendors list and present a supply-chain risk.
[DATA_EXFILTRATION]: The skill manages and accesses a sensitive configuration file located at ~/.xurl, which contains YAML-formatted API credentials and tokens. Accessing such files is a high-risk activity as it exposes the user's authentication data to the agent context.
[COMMAND_EXECUTION]: The skill relies heavily on executing the xurl binary with parameters that are often derived from external, untrusted sources (e.g., tweet IDs, search queries, or user handles), which can be exploited if the CLI tool does not properly sanitize inputs.
[PROMPT_INJECTION]: The skill is highly susceptible to Indirect Prompt Injection because its primary function is to ingest untrusted data from the X API (posts, mentions, and DMs).
Ingestion points: xurl search, xurl read, xurl timeline, xurl mentions, and xurl dms all pull external text into the LLM context.
Boundary markers: The skill documentation lacks explicit instructions for the agent to use XML tags or other delimiters to separate untrusted API data from system instructions.
Capability inventory: The agent has the ability to perform write operations (posting, deleting, sending DMs) based on the data it reads, creating an exploit loop.
Sanitization: No sanitization or filtering of the X API response content is mentioned or implemented in the skill description.

xurl