The Agent Skills Directory

[PROMPT_INJECTION]: The skill includes a placeholder for user arguments ($ARGUMENTS) at the end of its instructions without delimitation, which allows user-supplied text to potentially override the skill's logic or the agent's safety guidelines.
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection as it is explicitly instructed to search for context, hints, and clues within untrusted challenge artifacts and URLs. Evidence chain: 1. Ingestion points: WebFetch, Bash (file reading), and Grep. 2. Boundary markers: Absent; the agent is not warned to ignore instructions embedded in the data. 3. Capability inventory: Bash (full shell access), Write (file system modification), and WebFetch (network access). 4. Sanitization: Absent.
[COMMAND_EXECUTION]: The skill's primary workflow involves generating and executing arbitrary shell commands and Python code. While intended for CTF solving, this capability provides a powerful primitive for an attacker if the agent is manipulated via malicious data.
[DATA_EXFILTRATION]: The combination of the agent's ability to read local files and its access to network communication tools (WebFetch, netcat) presents a significant exfiltration surface. A malicious challenge could trick the agent into sending sensitive local data (e.g., credentials or configuration) to a remote listener.
[EXTERNAL_DOWNLOADS]: The skill encourages the installation of various toolsets via a local script (scripts/install_ctf_tools.sh). This dependency management pattern introduces supply chain risks, as the automated installation of numerous third-party tools from various package managers (apt, pip, brew, gems, go) increases the environment's attack surface.

solve-challenge