The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) because its primary purpose is to ingest and process untrusted data from any URL.
Ingestion points: In scripts/main.ts, the captureUrl function retrieves the full HTML content of an external website.
Boundary markers: None. The script does not wrap the scraped content in delimiters or provide warnings to the agent to ignore instructions within the content.
Capability inventory: The skill has file system write capabilities (writeFile in scripts/main.ts) and browser control via CDP.
Sanitization: While scripts/html-to-markdown.ts strips HTML tags, it does not sanitize natural language instructions, allowing an attacker to inject commands into the agent's context.
EXTERNAL_DOWNLOADS (MEDIUM): The SKILL.md file instructs the agent to use npx -y bun to run scripts. This command automatically downloads and executes the Bun runtime if it is not already present on the system, which is an untrusted external download and execution pattern.
COMMAND_EXECUTION (MEDIUM): The skill requires the agent to execute shell commands to run the scraper and check for the existence of EXTEND.md. These commands include npx -y bun and test -f, which interact with the host environment.
REMOTE_CODE_EXECUTION (MEDIUM): The script scripts/main.ts uses evaluateScript to inject and run JavaScript (cleanupAndExtractScript) inside the browser context of the target URL. While common for scrapers, this is a form of dynamic code injection into a remote environment.
UNVERIFIABLE_LOGIC (MEDIUM): Several critical functions (e.g., launchChrome, evaluateScript, CdpConnection) are imported from scripts/cdp.js, which was not provided in the skill payload. This prevents a complete security assessment of how the browser is launched and controlled.

baoyu-url-to-markdown