The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill's primary function is to fetch and process untrusted content from the public web, creating a significant attack surface for indirect prompt injection.
Ingestion points: content.js fetches content from any user-provided URL. search.js fetches snippets from Brave Search and can optionally fetch the full content of all search result links.
Boundary markers: Absent. Extracted content is printed to stdout with minimal headers (e.g., --- Result 1 ---), providing no clear separation that would prevent an LLM from interpreting instructions found within the web content as its own.
Capability inventory: Uses fetch for network operations. While the skill itself has limited local capabilities, its output is designed to be consumed by an agent that may have broader permissions (file access, command execution).
Sanitization: Content is converted from HTML to Markdown but is otherwise raw. No logic exists to filter out potential prompt injection payloads or malicious instructions embedded in the target pages.
[Metadata Poisoning] (MEDIUM): The documentation in SKILL.md is misleading. It claims to use the "Brave Search API" and requests a BRAVE_API_KEY, but the implementation in search.js actually performs unauthorized web scraping of the Brave Search website using spoofed User-Agents.
[External Downloads] (LOW): The skill relies on standard, well-known Node.js libraries (jsdom, readability, turndown) for content processing. While the dependencies themselves are not inherently malicious, the skill's reliance on dynamic external data remains the primary risk.

brave-search