The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The skill instructs the agent to execute a script from a location outside the skill's own directory. Evidence: In SKILL.md, step 6 executes 'python3 "${CODEX_HOME:-$HOME/.codex}/skills/.system/skill-creator/scripts/quick_validate.py"'. This relies on a hidden home directory that could be targeted for persistence or unauthorized code execution if an attacker compromises that specific path.
[INDIRECT_PROMPT_INJECTION] (LOW): The skill generates new agent instructions (SKILL.md) based on external research data. Ingestion point: Web research based on user-provided topics. Boundary markers: None specified in the generation templates to separate data from instructions. Capability inventory: File-writing via the scaffold script. Sanitization: Uses slugify and yaml_quote for structural integrity, but does not sanitize the conceptual content of the research.
[DYNAMIC_EXECUTION] (LOW): The script 'scripts/scaffold_topic_kb.py' programmatically generates new markdown and YAML files containing agent instructions. Evidence: The 'build_skill_md' and 'build_openai_yaml' functions. While the templates are static, the interpolation of user-provided research data into instruction blocks is a known attack surface for multi-step agent chains.

learn