The Agent Skills Directory

[DATA_EXFILTRATION] (HIGH): Arbitrary file read via unvalidated docs_dir parameter.\n
The search function in run.py accepts a docs_dir argument from the input args with a default value of 'docs'.\n
This path is passed directly to subprocess.run as an argument for grep and subsequently used in Path.read_text().\n
Lack of path validation or sandboxing allows an attacker to specify sensitive directories (e.g., /etc, ~/.ssh) as the search target.\n
Matched files have their first 2000 characters read and returned to the caller, potentially exposing secrets, credentials, or system configurations.\n- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface.\n
Ingestion points: Untrusted data enters the agent context through tavily_search (web results) and Path.read_text() (local file contents) in run.py.\n
Boundary markers: Absent. The synthesis_prompt interpolates retrieved data directly into a request for the LLM to summarize and organize the information.\n
Capability inventory: The skill has the capability to execute system commands (grep), read files, and perform network requests via the Tavily API.\n
Sanitization: There is no evidence of sanitization, filtering, or escaping of the ingested content before it is included in the prompt for the next stage of processing.\n- [COMMAND_EXECUTION] (LOW): Usage of subprocess.run with system binaries.\n
The script relies on the external grep utility. While it correctly avoids shell=True, using system commands on user-provided directory paths increases the attack surface for file system exploration.

best-practice-search