The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill implements platform hooks (UserPromptSubmit for Claude and AfterAgent for Gemini) that execute a command piping the output of 'curl http://localhost:4747/pending' directly into 'python3'. This pattern of piping network-sourced data into an interpreter on every agent message represents a high-risk execution vector.
[COMMAND_EXECUTION]: The provided 'scripts/setup-agentation-mcp.sh' script programmatically modifies sensitive agent configuration files in '~~/.claude', '~~/.codex', '~~/.gemini', and '~~/.config/opencode'. It uses 'jq' to merge execution commands and persistent hooks into these system-level configurations.
[PROMPT_INJECTION]: The skill facilitates indirect prompt injection by instructing agents to perform code edits based on external feedback. 1. Ingestion points: UI annotations (comments and selectors) are fetched from 'http://localhost:4747/pending' via platform hooks and the 'agentation_watch_annotations' tool. 2. Boundary markers: Absent; instructions do not use delimiters or provide warnings to isolate untrusted comment text from system instructions. 3. Capability inventory: The skill is granted 'Bash', 'Write', 'Read', 'Grep', and 'Glob' permissions (SKILL.md), enabling the agent to modify the entire codebase. 4. Sanitization: Absent; the agent is explicitly told to 'Make the minimal change described in the comment' without validating or escaping the comment content.
[EXTERNAL_DOWNLOADS]: The skill's setup process relies on downloading and executing unversioned packages from NPM via 'npx -y agentation-mcp' and 'npm install agentation'. These operations occur without integrity verification or version pinning. The skill also references the 'benjitaylor/agentation' repository, which is not among the verified or trusted organizations.

agentation