The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill provides installation instructions that involve piping a remote shell script directly to the bash interpreter: curl -fsSL https://raw.githubusercontent.com/xdevplatform/xurl/main/install.sh | bash. This pattern is highly dangerous as it allows for arbitrary code execution from a remote source without prior inspection.
[EXTERNAL_DOWNLOADS]: The skill downloads and installs software from several external sources, including a GitHub-hosted shell script, a Homebrew tap (xdevplatform/tap/xurl), and an NPM package (@xdevplatform/xurl). These sources are not recognized as trusted organizations.
[CREDENTIALS_UNSAFE]: The tool manages and relies on sensitive credentials stored in ~/.xurl. While the instructions explicitly warn the agent not to read or exfiltrate this file, its existence and the tool's access to it create a target for credential exposure.
[COMMAND_EXECUTION]: The skill's primary function is to execute the xurl CLI tool, which performs network operations and accesses the local filesystem to manage authentication tokens.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by processing external data from the X API.
Ingestion points: Untrusted data enters the agent's context through commands like xurl read, xurl search, xurl timeline, xurl mentions, and xurl dms in SKILL.md.
Boundary markers: Absent. No delimiters or instructions are provided to the agent to treat fetched social media content as untrusted data.
Capability inventory: The skill has the ability to execute shell commands (xurl), write data back to the network (post tweets, send DMs), and perform searches based on LLM-generated queries.
Sanitization: Absent. Content retrieved from the API is passed to the agent without filtering for malicious instructions.

xurl