RSS Reader

The skill is suspicious due to a significant prompt injection vulnerability. The `SKILL.md` explicitly instructs the AI agent to 'summarize new items worth reading' from RSS feeds, especially when using the `--format ideas` option. The `scripts/rss.js` script fetches content from user-controlled URLs and directly embeds the `item.title` and `item.description` (after basic HTML entity decoding) into the markdown output that the agent is instructed to summarize. This allows an attacker who controls an RSS feed to inject malicious instructions into the agent's prompt, potentially leading to unauthorized actions. While the script itself doesn't contain malicious code, this interaction creates a critical attack surface.