The Agent Skills Directory

[COMMAND_EXECUTION]: The framework includes an ExecuteShellCommandTool which allows an agent to run arbitrary shell commands on the host system. The inclusion of a BraveModeConfirmationHandler allows for automatic execution without human oversight, which is a significant security risk. Evidence: references/built-in-tools.md.\n- [REMOTE_CODE_EXECUTION]: The combination of LLM-driven logic and the shell execution tool creates a potential surface for remote code execution if the agent is manipulated via prompt injection. Evidence: references/built-in-tools.md.\n- [DATA_EXFILTRATION]: Built-in tools such as ReadFileTool, WriteFileTool, and ListDirectoryTool provide full access to the file system via the JVMFileSystemProvider. This could be exploited to read sensitive files or modify system configurations if the agent is misdirected. Evidence: references/built-in-tools.md.\n- [EXTERNAL_DOWNLOADS]: The framework integrates with multiple external LLM providers including OpenRouter, OpenAI, Anthropic, Google, and DeepSeek for model execution. These are well-known technology services. Evidence: references/providers.md.\n- [PROMPT_INJECTION]: The framework is vulnerable to indirect prompt injection because it ingests data from external sources and provides high-privilege capabilities. Ingestion points: Input passed to AIAgent.run and data read via ReadFileTool. Boundary markers: None explicitly enforced in the core prompt logic for untrusted data. Capability inventory: Shell command execution and file system modification. Sanitization: No default sanitization or validation logic for external content is provided in the documentation.

koog