The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The database-server.md implementation is vulnerable to SQL injection. It uses f-strings to directly interpolate user-provided SQL queries into the execution command (cursor.execute(f"{query} LIMIT {limit}")). The keyword-based blacklist provided is an insufficient defense against sophisticated attacks.
[CREDENTIALS_UNSAFE] (HIGH): The resource-server.md implementation exposes the entire environment variable dictionary via the dynamic://system/info resource. Environment variables frequently contain sensitive credentials, API keys, and configuration secrets that should not be exposed to the agent context.
[DATA_EXFILTRATION] (MEDIUM): The resource-server.md exposes internal system metrics and environment details (os.uname, os.environ, and /proc/uptime) to the AI agent. While it implements path traversal protections for static files, the dynamic resources leak extensive system-level metadata.
[EXTERNAL_DOWNLOADS] (LOW): The skill references several third-party Python packages (aiohttp, psutil, pytest, pyjwt, jsonschema) and the MCP inspector tool that require external installation from package registries.
[PROMPT_INJECTION] (LOW): The skill exhibits surfaces for indirect prompt injection where untrusted data (SQL query strings and external API responses) enters the agent context. Evidence: 1. Ingestion points: execute_query arguments in database-server.md and GitHub profile data in rest-api-wrapper.md. 2. Boundary markers: Absent. 3. Capability inventory: sqlite3.execute and aiohttp.get. 4. Sanitization: Minimal keyword checking in the database example; no sanitization for GitHub content.

mcp-builder