The Agent Skills Directory

[COMMAND_EXECUTION]: The skill documentation includes logic for constructing shell commands for the Scalene profiler. Specifically, the build_context7_scalene_command function assembles command strings using variable interpolation (e.g., f"scalene {target_file}"). This creates a risk of command injection if the filename or other parameters contain shell metacharacters and are not properly sanitized before execution via the Bash tool.
[PROMPT_INJECTION]: The skill contains an indirect prompt injection surface as it is designed to ingest and act upon data retrieved from external documentation and patterns.
Ingestion points: External data is fetched from the mcp__context7__get-library-docs tool, which retrieves documentation and optimization patterns from the /plasma-umass/scalene repository context.
Boundary markers: The skill does not implement visible delimiters or instructions to ignore embedded commands when processing the fetched documentation content.
Capability inventory: The skill is granted high-privilege capabilities including Bash for command execution, Write/Edit for file system modification, and WebFetch for network access.
Sanitization: No sanitization or validation mechanisms are described for the external content before it is used to generate or influence optimization strategies.
[EXTERNAL_DOWNLOADS]: The skill utilizes WebFetch and custom MCP tools to retrieve external documentation and performance patterns from remote sources, including the well-known Scalene repository. These references are documented as part of the core performance analysis functionality.

moai-essentials-perf