The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: Automated scanners identified a high-risk pattern in the platform hook configurations and verification scripts where the output of a network request (curl) is piped directly to an interpreter (python3). Although the target is localhost and the logic is a static Python string, this pattern matches dangerous remote execution vectors that can be exploited if the local server is compromised.
[COMMAND_EXECUTION]: The skill's setup script and documentation instruct the modification of agent settings (e.g., ~/.claude/settings.json, ~/.gemini/settings.json) to add persistent hooks. These hooks execute shell commands automatically during every agent turn or prompt submission to poll for pending UI annotations, leading to frequent and automated command execution.
[EXTERNAL_DOWNLOADS]: The skill requires the installation of the agentation and agentation-mcp packages from NPM and references an external GitHub repository (benjitaylor/agentation). The use of npx to fetch and run remote packages and the discrepancy between the declared author ('akillness') and the source repository ('benjitaylor') are notable risks.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its core functionality of processing UI feedback.
Ingestion points: Annotations containing user-provided feedback are fetched from a local endpoint (http://localhost:4747/pending) and injected into the agent's context via hooks and tools.
Boundary markers: The skill uses simple text delimiters (e.g., === AGENTATION ===) to separate annotations, which are insufficient to prevent a malicious annotation from hijacking the agent's instructions.
Capability inventory: The agent is granted powerful tools including Bash, Write, and Grep, which could be misused if the agent obeys malicious instructions embedded in an annotation.
Sanitization: There is no evidence of sanitization or escaping of the user-provided comment or elementPath fields before they are presented to the agent.

agentation