The Agent Skills Directory

[COMMAND_EXECUTION]: Instructions in agent_instructions.md utilize shell commands where variables such as [library-name] and [roughcut_name] are directly concatenated into the command string. This enables arbitrary command execution if an attacker provides a crafted name (e.g., using backticks or shell operators).
[PROMPT_INJECTION]: The SKILL.md file defines a subagent launch template that directly interpolates the {what_user_asked_for} variable into the system prompt. This allows a user to provide instructions that override the agent's defined constraints or behavior.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted visual transcript data from the file system without sufficient isolation.
Ingestion points: Visual transcript JSON files located in libraries/[library-name]/transcripts/.
Boundary markers: Absent. The data is concatenated using cat and read in chunks without any delimiters or instructions to ignore embedded commands.
Capability inventory: The skill possesses significant capabilities including shell execution (bash), file creation, and execution of local Ruby scripts.
Sanitization: No validation or sanitization is performed on the content of the JSON transcripts or the library configuration files.
[REMOTE_CODE_EXECUTION]: The Ruby script export_to_fcpxml.rb uses YAML.load_file to parse roughcut definitions. While it utilizes permitted_classes, the process of loading and executing logic based on potentially manipulated YAML files in a local directory poses a risk of code execution or object injection.

roughcut