The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The scripts/install_tools.sh script downloads and executes code from the internet using insecure patterns.
It pipes a remote script from nektos/act directly into bash.
It uses bash process substitution to execute a script from rhysd/actionlint.
These repositories are not included in the trusted vendors list.
[COMMAND_EXECUTION]: The script scripts/validate_workflow.sh is vulnerable to shell command injection.
The script uses eval to run commands that incorporate the variable ${workflow_flag}, which is derived from the user-provided <workflow-file-or-directory> argument.
A maliciously crafted file path (e.g., containing backticks or semicolons) provided as input could lead to arbitrary command execution on the host system.
[EXTERNAL_DOWNLOADS]: The skill relies on fetching scripts and binaries from raw.githubusercontent.com at runtime, which is an external dependency from non-whitelisted sources.
[PROMPT_INJECTION]: The skill processes untrusted GitHub Action workflows and interpolates their content into the agent's context. This presents an indirect prompt injection surface (Category 8).
Ingestion points: scripts/validate_workflow.sh reads files provided by the user (e.g., in .github/workflows/).
Boundary markers: The SKILL.md instructions do not define strict delimiters (like XML tags) to wrap the untrusted workflow content when the agent processes it.
Capability inventory: The skill has the ability to execute shell scripts, run act (which involves Docker), and run actionlint.
Sanitization: The skill lacks sanitization for the input file paths used in dynamic command execution.

github-actions-validator