The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection as it ingests untrusted data from the repository and passes it into sub-agent prompts. 1. Ingestion points: Step 1 reads target files ($TARGET) and Step 3 reads project convention files (AGENTS.md, CLAUDE.md). 2. Boundary markers: No delimiters or explicit 'ignore instructions' markers are used when interpolating file content into the sub-agent prompt. 3. Capability inventory: The skill has Write, Edit, Bash, and TaskCreate capabilities, which can be misused if an injection is successful. 4. Sanitization: No sanitization or validation of the ingested file content is performed before processing.
COMMAND_EXECUTION (HIGH): The skill dynamically constructs and executes Bash commands using variables derived from environment inputs like $TARGET, $FUNCTION_NAME, and $FILE. A maliciously named file or function could lead to arbitrary command execution on the host system. Evidence: 'test -f "$TARGET"', 'ast-grep -p "function $FUNCTION_NAME" "$FILE"', and 'rg ... "$BASENAME"'.
DATA_EXFILTRATION (MEDIUM): The skill reads internal project documentation such as AGENTS.md and CLAUDE.md which may contain sensitive logic or business rules. While no direct network exfiltration is observed, this data is exposed to sub-agents and could be leaked via agent responses or logs.

testgen