The Agent Skills Directory

EXTERNAL_DOWNLOADS (CRITICAL): Automated security scanners have flagged the following files/entities as malicious:
teams.md was identified as containing a Phishing URL.
agno.sk was flagged as being associated with a Botnet threat. These findings represent confirmed detections requiring immediate isolation.
REMOTE_CODE_EXECUTION (HIGH): The skill provides PythonTools (references/tools/builtin-dev.md) which allows the agent to run arbitrary Python code and install third-party packages via pip. These capabilities allow for full remote code execution if the agent is manipulated via prompt injection.
COMMAND_EXECUTION (HIGH): The skill provides ShellTools and DockerTools (references/tools/builtin-dev.md) which enable the agent to execute arbitrary shell commands and manage Docker containers. This functionality grants high-privilege access to the host environment.
PROMPT_INJECTION (LOW): The skill defines a large surface for Indirect Prompt Injection (Category 8).
Ingestion points: The Knowledge system (references/knowledge.md) processes untrusted external data from URLs, PDFs, and CSVs.
Boundary markers: Documentation examples show direct template interpolation (e.g., {user_input}) without explicit boundary delimiters or instructions to ignore embedded commands.
Capability inventory: As noted above, the skill includes powerful capabilities like ShellTools, PythonTools, and various communication toolkits.
Sanitization: No explicit sanitization logic is provided for external data before it enters the LLM context.
EXTERNAL_DOWNLOADS (LOW): The scripts/check-updates.py script performs network operations to fetch metadata from pypi.org and docs.agno.com. Per the [TRUST-SCOPE-RULE], these findings are downgraded to LOW/INFO as the sources are verified and trusted, and the script logic does not involve dynamic execution of the downloaded content.

agno