The Agent Skills Directory

[COMMAND_EXECUTION]: The skill programmatically executes shell commands using the claude -p --dangerously-skip-permissions flag. This configuration explicitly bypasses the security layer of the agent, granting it full authority to execute any shell command or system modification without the user's approval.
[REMOTE_CODE_EXECUTION]: The 'Execute Pipeline' feature introduces an indirect remote code execution (RCE) vulnerability. The skill ingests untrusted data from external sources (GitHub, Asana, Linear) and passes it directly into a high-privilege execution environment. A malicious actor could author a ticket containing instructions designed to hijack the agent's behavior to execute unauthorized code on the host system.
[DATA_EXFILTRATION]: Because the automated execution environment has both read access to the local codebase and the ability to run network commands (via the skipped permissions flag), an attacker could use an indirect prompt injection in a ticket to force the agent to read sensitive local files, such as .env files or SSH keys, and transmit them to a remote server.
[INDIRECT_PROMPT_INJECTION]: The skill's primary function relies on processing untrusted third-party content from issue trackers.
Ingestion points: External tickets and issues from GitHub, Asana, and Linear mentioned in SKILL.md.
Boundary markers: None identified; the skill documentation indicates the prompt includes content directly from the author of the issue.
Capability inventory: Full file system write/edit access and arbitrary shell command execution via the claude subprocess.
Sanitization: While the skill validates the working_dir against a whitelist in ~/.maggy/config.yaml, it performs no sanitization or instruction filtering on the actual content of the tickets, leaving the execution pipeline fully exposed to adversarial instructions.

maggy