The Agent Skills Directory

[COMMAND_EXECUTION]: The TypeScript code example for the run_tests tool in SKILL.md is vulnerable to command injection. It directly interpolates the file_pattern argument into a shell command (pnpm test ${args}) without any validation or escaping, allowing for arbitrary shell command execution.
[COMMAND_EXECUTION]: The search_codebase tool template in SKILL.md contains a command injection vulnerability. The sanitization attempt using .replace(/'/g, "\\'") is ineffective for shell single-quotes in most environments (like bash), and the file_glob variable is interpolated without any sanitization, allowing an attacker to break the shell context and execute arbitrary commands.
[REMOTE_CODE_EXECUTION]: The script scripts/server_scaffolder.py generates full TypeScript and Python source files and writes them to the local file system. It also sets execution permissions for the generated Python files, which creates a significant security risk if the input configuration is malicious or untrusted.
[PROMPT_INJECTION]: The scripts/openapi_converter.py script presents a surface for indirect prompt injection. It parses external OpenAPI/Swagger specifications and uses their summary and description fields to generate MCP tool documentation. An attacker could craft a specification with malicious instructions in these fields to influence agent behavior when it consumes the generated tool server.
Ingestion points: scripts/openapi_converter.py (via load_spec and convert_spec functions).
Boundary markers: None identified; external content is used directly in tool descriptions.
Capability inventory: scripts/server_scaffolder.py (file-write) and SKILL.md code templates (shell execution via execSync and subprocess.run).
Sanitization: Performed for tool names (snake_case) but absent for descriptive fields where natural language instructions are processed.

mcp-server-builder