The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection because it reads untrusted PHP files and possesses powerful tools like Bash and Edit.
Ingestion points: The skill uses the Read tool to ingest the content of PHP files during the validation workflow.
Boundary markers: No delimiters or safety instructions are defined to prevent the agent from following natural language instructions embedded within the PHP code (e.g., in comments or strings).
Capability inventory: The agent has access to Bash, Edit, and Read tools, allowing it to execute commands or modify the file system based on instructions found in the data.
Sanitization: There is no evidence of sanitization or filtering of the code content before processing.
[Remote Code Execution] (HIGH): The skill explicitly instructs the agent to execute ./dev.sh check. If the repository being analyzed is untrusted or has been compromised, this script could contain malicious code that would execute with the privileges of the AI agent.
[Command Execution] (MEDIUM): The skill relies on running binaries located in vendor/bin/ (e.g., phpcs, phpcbf). While common in PHP development, executing binaries from an untrusted project directory is a security risk unless the execution environment is strictly sandboxed.

psr12-moodle