The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses a shell heredoc (cat > ... << 'ENDJSON') to write user-controlled content to a temporary file in Step 5. If the input data contains the string 'ENDJSON', it can terminate the heredoc prematurely, allowing subsequent lines of the input to be executed as arbitrary shell commands.\n- [DATA_EXFILTRATION]: The skill implements a feature to fetch content from user-provided URLs using WebFetch. This data is then sent to external APIs (Google Gemini and Tavily). This pattern presents a Server-Side Request Forgery (SSRF) risk, where an attacker could provide URLs pointing to internal network services or cloud metadata endpoints to exfiltrate sensitive information into the LLM context.\n- [DATA_EXFILTRATION]: API keys (GEMINI_API_KEY and TAVILY_API_KEY) are passed directly as shell command arguments in curl requests. This practice can expose sensitive credentials to other users on the same system through process monitoring tools like ps or through shell history and system logs.\n- [PROMPT_INJECTION]: The skill processes untrusted data from external URLs or user-pasted text and interpolates it into the prompt used for blog generation in Step 5. There are no explicit boundary markers or sanitization steps to prevent indirect prompt injection. Malicious instructions hidden in the source material (e.g., HTML comments or text snippets) could manipulate the agent's behavior, leading to unintended tool execution or data exfiltration.\n- [COMMAND_EXECUTION]: User-provided content is inserted directly into a JSON structure within a shell script without proper escaping of special characters or control sequences, which can lead to command injection or malformed request payloads.

noise2blog