The Agent Skills Directory

COMMAND_EXECUTION (HIGH): Path Traversal in scripts/remove.sh. The script accepts the $ITEM_NAME argument and concatenates it directly into a file system path (SKILL_PATH="$SKILLS_DIR/$ITEM_NAME") without any sanitization or directory traversal checks. Since the script executes rm -rf "$TARGET_PATH", an attacker can delete arbitrary files or directories accessible to the user by providing a relative path such as ../../../.ssh or ../../../Documents via a prompted agent action.\n- EXTERNAL_DOWNLOADS (HIGH): Unverifiable remote code execution via automated GitHub cloning and updates. The skill is designed to clone repositories from arbitrary URLs and install them into the agent's environment as new skills or commands. It includes an update.sh script that performs git pull on these directories. This creates a high-risk 'download then execute' pipeline where a malicious repository owner could push updates to take control of the agent's system.\n- PROMPT_INJECTION (LOW): Indirect Prompt Injection surface (Category 8). 1. Ingestion points: Remote GitHub repositories and subdirectories as documented in SKILL.md. 2. Boundary markers: Absent; no logic exists to identify or ignore instructions embedded within the downloaded skill data. 3. Capability inventory: Significant system impact including file deletion (rm), network access (git), and modification of the agent's executable skill set. 4. Sanitization: Absent; the skill does not validate or sanitize the content of the repositories before they are added to the agent context.\n- EXTERNAL_DOWNLOADS (MEDIUM): Incomplete code review due to missing files. The core installation logic in scripts/install.sh is extensively documented but missing from the provided source files, which prevents a full safety audit of the primary ingestion mechanism.

skill-manager