The Agent Skills Directory

REMOTE_CODE_EXECUTION (HIGH): The 'justfile' uses direct string interpolation of the '{{json}}' argument within a Node.js script block using backticks. This allows an attacker to inject arbitrary JavaScript code or escape the string literal to execute shell commands on the host system during the formula generation process.
DATA_EXFILTRATION (HIGH): The 'parseInput' function in 'scripts/formula.helper.ts' allows reading arbitrary files from the filesystem if the input starts with a directory marker ('.' or '/'). An attacker could manipulate the agent into reading sensitive files, such as '~~/.ssh/id_rsa' or '~~/.aws/credentials', by passing the file path as the 'json' argument.
REMOTE_CODE_EXECUTION (HIGH): The 'settings.json' file configures an MCP server to run via 'npx json-mcp-server@latest'. Executing unversioned packages directly from a public registry at runtime is a high-risk practice that exposes the user to potential supply chain attacks or package hijacking.
PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection through its template pipeline. It processes untrusted JSON data and renders it into Ruby code with 'Mustache.escape' disabled, allowing malicious project metadata (e.g., in a repo's description) to inject executable Ruby commands into the generated Homebrew formula.
EXTERNAL_DOWNLOADS (MEDIUM): The 'justfile' includes a 'deps' command that performs 'npm install', and the skill's workflow involves 'curl' downloads of external source tarballs. While consistent with the skill's purpose, these operations fetch unverified content from the network.
SAFE (SAFE): Automated scanner alerts regarding 'curl | sh' are likely false positives. Analysis of 'SKILL.md' and template files shows the command used is actually 'curl | shasum', which is a standard integrity check for calculating SHA256 hashes.

pkgmgr-homebrew-formula-dev