The Agent Skills Directory

Data Exposure & Exfiltration (HIGH): The scripts/base64_encoder.py script accepts a --file argument which is passed directly to open(). An attacker using indirect prompt injection could trick the agent into reading sensitive files (e.g., ~/.ssh/id_rsa, .env) and outputting their Base64 encoded content to the console.
Privilege Escalation (HIGH): The --output argument allows the tool to write files to any path accessible by the user. This can be used to overwrite critical files like ~/.bashrc or ~/.ssh/authorized_keys to gain persistent access or escalate privileges.
Metadata Poisoning (MEDIUM): The SKILL.md file claims the source repository is https://github.com/python/cpython. While the script uses the Python standard library, the script itself is not part of the CPython project, making this a misleading claim of trust.
Indirect Prompt Injection (HIGH): This skill has a high vulnerability surface because it processes untrusted data and possesses dangerous capabilities.
Ingestion points: File input via --file, text input via positional arguments, and sys.stdin in scripts/base64_encoder.py.
Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands in the processed data.
Capability inventory: Arbitrary file read (open(..., 'rb')) and arbitrary file write (open(..., 'wb')) in scripts/base64_encoder.py.
Sanitization: Absent. There is no path validation or restriction (e.g., sandboxing to a specific directory).

base64-encoder