The Agent Skills Directory

[PROMPT_INJECTION]: The section titled 'STRICT ENFORCEMENT: Usage Field Required' uses imperative and overriding language (e.g., 'non-negotiable', 'BLOCKED Patterns', 'WILL NOT generate') to force the agent to use specific tool-defined patterns, effectively hijacking its decision-making logic for generating task arguments.
[REMOTE_CODE_EXECUTION]: The skill documents and encourages the use of remote task execution by fetching scripts from external URLs and Git repositories.
Evidence: Use of the file attribute to point to https://example.com/build.sh and Git URLs.
Evidence: Use of includes to pull task configurations from remote Git repositories.
[COMMAND_EXECUTION]: The documentation provides extensive instructions on defining and executing arbitrary shell commands via the run field, lifecycle hooks (preinstall, postinstall), and file watchers.
[EXTERNAL_DOWNLOADS]: The skill facilitates downloading configurations and scripts from external, unverified sources beyond well-known registries.
[INDIRECT_PROMPT_INJECTION]: This skill presents an attack surface for indirect prompt injection by processing external CLI arguments and interpolating them into shell scripts.
Ingestion points: Task arguments and flags defined in the usage block of mise.toml or script headers.
Boundary markers: The documentation suggests using ${usage_var?} syntax but does not describe robust sanitization against shell injection for all possible interpreters.
Capability inventory: The skill utilizes subprocess execution for all tasks defined in the run and hooks sections.
Sanitization: While the documentation claims the usage spec avoids parsing bugs, it still relies on interpolating user-controlled strings directly into shell environments.

mise