The Agent Skills Directory

COMMAND_EXECUTION (MEDIUM): The skill is designed to spawn external processes as MCP servers based on commands and arguments defined in the .mcp.json configuration file. While this is the intended purpose, it establishes a framework for arbitrary command execution if the configuration is maliciously modified. The integration documentation also encourages the use of the -y flag with gemini-cli to skip execution confirmations, bypassing a key security checkpoint.\n- EXTERNAL_DOWNLOADS (LOW): The skill documentation recommends installing various third-party Node.js packages and the gemini-cli tool. These dependencies are downloaded from external registries, introducing risks associated with third-party code integrity.\n- CREDENTIALS_UNSAFE (LOW): The configuration guide includes examples for storing API keys (e.g., BRAVE_API_KEY) within JSON files. Although it suggests using environment variable substitution and .gitignore as mitigations, the potential for hardcoding or accidental exposure of these secrets remains a risk.\n- INDIRECT_PROMPT_INJECTION (LOW): The skill creates an attack surface by processing data from external servers, such as search results or web content. 1. Ingestion points: results from Brave Search and Puppeteer. 2. Boundary markers: not specified in the skill's instructional framework. 3. Capability inventory: tool execution and subprocess spawning. 4. Sanitization: no explicit sanitization logic for external tool outputs is mentioned.

mcp-management