The Agent Skills Directory

[COMMAND_EXECUTION]: The extract_web_content function in summarize-agent.py executes a shell command using subprocess.run with shell=True. It directly interpolates the user-provided URL into the command string without sanitization. An attacker can provide a crafted URL containing shell metacharacters (e.g., ;, &, |, `) to execute arbitrary commands on the system.
Evidence: subprocess.run(f'curl -sL "{url}" | html2text -utf8', shell=True, ...) in summarize-agent.py.
[COMMAND_EXECUTION]: The extract_pdf function in summarize-agent.py uses string interpolation to build a Python command string executed via a subprocess. If a user provides a local file path containing double quotes, they can break out of the string literal and execute arbitrary Python code.
Evidence: subprocess.run([sys.executable, '-c', f'from pdfminer.high_level import extract_text; print(extract_text("{file_path}"))'], ...) in summarize-agent.py.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it fetches content from untrusted external sources (webpages, YouTube transcripts, X posts, PDFs) and interpolates it directly into a prompt for a sub-agent. An attacker could embed malicious instructions in the source content to manipulate the agent's output or hijack the session.
Ingestion points: Content is ingested in summarize-agent.py via extract_web_content, extract_youtube_transcript, extract_x_post, and extract_pdf.
Boundary markers: The prompt uses simple dashed lines ('='*60) as separators, which are insufficient to prevent an attacker from breaking out of the data context.
Capability inventory: The script has the capability to execute several shell commands and interact with external APIs (whisper-api, sessions_spawn).
Sanitization: There is no evidence of sanitization, escaping, or validation of the fetched content before it is placed into the LLM prompt.

summarize-agent