The Agent Skills Directory

[COMMAND_EXECUTION] (CRITICAL): Arbitrary command execution via eval in bash scripts.\n
Evidence: In scripts/common.sh, the get_feature_paths function constructs shell variable assignments by interpolating the $current_branch variable directly into single-quoted strings within a heredoc (cat <<EOF). This output is then executed using eval $(get_feature_paths) in scripts/check-prerequisites.sh (line 88) and scripts/setup-plan.sh (line 28).\n
Vulnerability: The $current_branch variable is sourced from the SPECIFY_FEATURE environment variable, the current git branch name, or directory names in the specs/ folder. An attacker can inject arbitrary commands by including a single quote in these inputs (e.g., SPECIFY_FEATURE="' ; id ; '"). This breaks the shell quoting in the generated string, causing the injected command to be executed during the eval call.\n- [REMOTE_CODE_EXECUTION] (CRITICAL): The command injection vulnerability provides a direct path to arbitrary code execution. This is especially dangerous for AI agent skills, which may be directed to work on repositories containing maliciously crafted branch names or folder structures, or may be persuaded to set environment variables.\n- [COMMAND_EXECUTION] (MEDIUM): The scripts perform various file system operations (mkdir -p, cp, touch) using paths ($FEATURE_DIR, $IMPL_PLAN, etc.) derived from the same unsanitized input, which could be exploited for arbitrary directory creation or file manipulation even without the eval exploit.

spec-kit