The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructions in SKILL.md explicitly direct the agent to execute arbitrary scripts and validation tools found within the repository being audited (e.g., 'Typical examples: docs hygiene scripts, manifest or route parity checks'). While necessary for the skill's purpose, this allows the execution of potentially malicious code present in an untrusted repository.
[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because it ingests and processes untrusted documentation files (README.md, docs/*.md) to perform grading and audits.
Ingestion points: The agent inventories and reads the entire public documentation surface including root READMEs, CONTRIBUTING files, and the docs/ directory.
Boundary markers: No explicit boundary markers or instructions to ignore embedded instructions within the audited files are provided in the skill prompts.
Capability inventory: The skill can execute shell commands (rg, eval, python3), read/write files, and perform repository-native validations.
Sanitization: No specific sanitization or filtering of the audited documentation content is performed before processing it via the LLM.
[COMMAND_EXECUTION]: SKILL.md utilizes an eval statement to load environment variables from the output of scripts/select_mode.py. Although the script correctly uses shlex.quote() to mitigate command injection via configuration values, the pattern of evaluating script output remains a sensitive operation.

oss-doc-audit