The Agent Skills Directory

[DATA_EXFILTRATION] (HIGH): The skill captures screenshots of web pages, which often contain sensitive information (API keys in UIs, user data, internal dashboards), and uploads them to 0x0.st via scripts/adapters/0x0st.sh. This is a public, anonymous file-sharing service, meaning any captured internal data becomes accessible via a public URL.
[DATA_EXFILTRATION] (HIGH): The scripts/adapters/blob.sh script allows screenshots to be sent to an arbitrary external endpoint specified by the BLOB_UPLOAD_URL environment variable, facilitating data exfiltration to attacker-controlled servers.
[EXTERNAL_DOWNLOADS] (LOW): The skill instructions in SKILL.md mandate a 'Pre-flight' step that executes npm install -g @vercel/before-and-after. While the organization vercel is a trusted source, global package installation at runtime is a high-privilege operation. Per [TRUST-SCOPE-RULE], the download itself is downgraded to LOW.
[COMMAND_EXECUTION] (MEDIUM): The script scripts/upload-and-copy.sh performs dynamic execution by loading and running adapter scripts from a directory based on the IMAGE_ADAPTER environment variable (ADAPTER_SCRIPT="$ADAPTERS_DIR/$IMAGE_ADAPTER.sh").
[COMMAND_EXECUTION] (MEDIUM): The skill makes extensive use of curl, npx, and CLI tools (gh, vercel) with arguments constructed from user-provided URLs and CSS selectors, increasing the risk of command injection if the agent does not strictly validate these inputs.
[INDIRECT_PROMPT_INJECTION] (LOW): The skill possesses a significant attack surface for indirect injection.
Ingestion points: Web page content captured by agent-browser in scripts/capture.sh and user-provided URLs/selectors.
Boundary markers: None; external content is processed directly.
Capability inventory: File system writes (screenshots), network requests (curl), and shell command execution (gh, npm, npx).
Sanitization: None detected.

before-and-after