The Agent Skills Directory

[DATA_EXFILTRATION] (HIGH): The scripts/interpret.py file contains an arbitrary file read vulnerability in the load_prediction function. By prefixing the --prediction argument with an @ character, the script will read the contents of any file on the local file system. This content is then sent to the configured external LLM provider as part of the prompt, leading to potential data exfiltration of sensitive files like ~/.ssh/id_rsa or .env.
[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). The question provided by the user is interpolated directly into the LLM system prompt in scripts/interpret.py without any sanitization or robust boundary markers. A malicious question could override the divination master persona to extract system prompts or perform other unauthorized actions.
[COMMAND_EXECUTION] (MEDIUM): The workflow relies on executing local Python scripts via uv run. While these are part of the skill, the dependency on a local environment that can read arbitrary files (as noted above) increases the risk if the agent is manipulated into executing these scripts with malicious arguments.
[EXTERNAL_DOWNLOADS] (LOW): The scripts use uv run which dynamically manages and downloads Python dependencies (pydantic-ai-slim, python-dotenv, pyyaml). While these are common packages, the runtime fetching of dependencies is a minor risk factor.

mini-six-ren