The Agent Skills Directory

[DATA_EXPOSURE]: The script scripts/analyze_crap.py uses the standard xml.etree.ElementTree library to parse coverage.xml and cobertura.xml files. This library is vulnerable to XML External Entity (XXE) attacks. If a repository contains a malicious coverage report file, an attacker could potentially read sensitive local files or perform server-side request forgery (SSRF).
[REMOTE_CODE_EXECUTION]: The 'One-Shot Remediation Loop' described in references/one-shot-loop.md encourages the agent to autonomously modify production code and tests, then execute them using local build tools (make, pytest, cargo, npm). This high level of autonomy effectively allows code generated at runtime to be executed on the system, which is a significant security risk if the input source code is malicious or includes indirect prompt injections.
[INDIRECT_PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from the repository being analyzed.
Ingestion points: The agent reads source code (.py, .rs, .ts) and coverage artifacts (LCOV, XML) from the target repository.
Boundary markers: The instructions do not specify any delimiters or warnings to prevent the agent from following instructions embedded within the code or coverage data.
Capability inventory: The skill allows the agent to write files, execute shell commands via build tools, and perform git commits.
Sanitization: There is no evidence of sanitization or safety checks on the content extracted from the analyzed files before it influences the agent's remediation plan.
[EXTERNAL_DOWNLOADS]: The references/coverage-targets.md documentation recommends the execution of cargo install cargo-llvm-cov, which performs remote downloads and installation of third-party software during the skill's operation.

crap