The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): In MCPORTER_SKILL.md, multiple commands use npx -y mcporter. The -y flag bypasses confirmation and executes the package immediately from the npm registry. Without a pinned version or integrity hash, this introduces a major supply chain risk where a compromised or typosquatted package results in immediate RCE on the agent's environment.
[COMMAND_EXECUTION] (HIGH): MCPORTER_SKILL.md provides shell logic that captures tool output into environment variables (AUTH_OUT=$(npx ...)) and then performs string matching via rg (ripgrep) to make execution decisions. If the tool output contains malicious shell metacharacters, it could lead to arbitrary command execution.
[DATA_EXFILTRATION] (MEDIUM): The skill utilizes a two-step upload process where a URL is retrieved from the server and then used in a curl -X PUT command (UPLOAD_URL_FROM_PREVIOUS_STEP). This pattern allows for Server-Side Request Forgery (SSRF) or exfiltration if the server returns a URL pointing to an internal metadata service or an attacker-controlled endpoint.
[INDIRECT_PROMPT_INJECTION] (HIGH): The skill is designed to process external content for blog publication.
Ingestion points: Tool outputs from get_writing_style_guide and user-provided content in create_post (file: MCPORTER_SKILL.md).
Boundary markers: Entirely absent; external content is interpolated directly into command arguments.
Capability inventory: File upload (finalize_uploaded_image), blog publication (create_post), and local shell execution (npx).
Sanitization: No escaping or validation is performed on the content before it is passed to the shell or the API.
[PROMPT_INJECTION] (LOW): MCPORTER_SKILL.md contains selection rules in Korean and English ("사용자가 위 트리거 문구로...") that instruct the agent to override standard tool selection and prioritize this skill's mcporter flow. This effectively acts as a tool-hijacking instruction.

codebase-mcp