The Agent Skills Directory

PROMPT_INJECTION (HIGH): The 'Update Workflow' described in SKILL.md instructs the agent to fetch remote README files and use them to 'refactor' and 'rewrite' local SKILL.md and wrapper.py files. An attacker can embed instructions in a README to force the agent to insert malicious code during an update. * Ingestion points: Remote GitHub README files and repository metadata. * Boundary markers: None specified in the documentation or implementation logic. * Capability inventory: File writing, refactoring local skill files, and directory deletion via scripts. * Sanitization: None; the agent relies on its own interpretation of untrusted remote text to perform code modifications.
EXTERNAL_DOWNLOADS (HIGH): The skill's primary function is to download and install arbitrary code folders from a database of 31,767 unverified community repositories. This facilitates the introduction of malicious third-party skills into the agent's environment.
COMMAND_EXECUTION (MEDIUM): The scripts/delete_skill.py script provides a mechanism for arbitrary directory deletion using shutil.rmtree, which could be abused if the agent is manipulated to target sensitive system paths.
Information Exposure (LOW): Scripts like scripts/scan_and_check.py contain hardcoded absolute Windows paths (e.g., C:\Users\20515\.claude\skills) that reveal local environment details and internal account names.

skill-manager