The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection attacks due to its core web scraping functionality.
Ingestion points: The fetch implementation across index.js, scrape.js, and scrape-wrapper.js retrieves arbitrary HTML content from URLs provided by the user or discovered during research.
Boundary markers: The skill does not implement delimiters or specific instructions to the agent to ignore instructions embedded in the scraped data.
Capability inventory: The agent using this skill has access to network requests and shell command execution via the included send-email.js and send-gmail.sh utilities.
Sanitization: Content is only cleaned of HTML tags and extra whitespace; it is not analyzed or sanitized for malicious instructions.
[COMMAND_EXECUTION]: The send-email.js utility contains a command injection vulnerability.
The script uses execSync to execute the system mail command with user-provided arguments.
The recipient (to) and subject fields are interpolated directly into the shell command string without escaping or sanitization.
If an attacker can influence these parameters—for instance, via a hijacked agent following an indirect prompt injection—they could execute arbitrary commands on the host system.

link-scraper