The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection because it is specifically designed to ingest untrusted data from external sources and has the capability to perform side effects on the local filesystem.
Ingestion points: The source_specification and web_content_fetcher allow the agent to fetch content from arbitrary URLs and raw text inputs.
Boundary markers: The specification lacks any defined delimiters or instructions to ignore embedded natural language commands within the fetched content.
Capability inventory: The agent has access to WebFetch for network reads and Write, Grep, and Glob for filesystem manipulation. This combination allows an attacker to control the agent's file operations by poisoning a crawled webpage.
Sanitization: No sanitization or validation logic is defined to filter out malicious instructions from the processed information.
[External Downloads] (LOW): The skill utilizes WebFetch to download content from arbitrary external sources. While this is the stated purpose of the skill, it functions as the primary delivery mechanism for malicious payloads via external websites.
[Data Exposure & Exfiltration] (MEDIUM): While no direct exfiltration to an attacker's server is hardcoded, the ability to read local files (Read) and write them to a user-defined output_base_directory could be exploited via injection to move sensitive data (e.g., credentials) into a directory that might later be shared or uploaded.

Context Engineering Framework