The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The MCPAgent.create_tool pattern in SKILL.md demonstrates a design where Python code is generated by an LLM based on user descriptions and then written directly to a file (server.py) to be loaded and executed. This pattern facilitates arbitrary code execution if the LLM-generated content is influenced by malicious input.
[COMMAND_EXECUTION]: The SandboxedExecution class utilizes subprocess.run with shell=True to execute commands. While it implements a whitelist, the use of a shell environment is a significant security risk that can allow command injection through shell metacharacters and operators.
[PROMPT_INJECTION]: The ContextManager class implements a pattern that is vulnerable to indirect prompt injection.
Ingestion points: Untrusted data is ingested from remote URLs via add_url and local files via add_file in SKILL.md.
Boundary markers: The format_for_prompt method uses markdown headers and code blocks as delimiters but lacks explicit 'ignore' instructions to prevent the model from following commands embedded within the external data.
Capability inventory: The agent architecture includes capabilities for file modification (edit_file), system command execution (run_command), and browser automation (open_browser).
Sanitization: There is no evidence of sanitization or filtering of the fetched content before it is interpolated into the agent's prompt context.
[COMMAND_EXECUTION]: The CheckpointManager class executes shell commands via subprocess.getoutput to capture git state. Executing shell commands based on the state of the workspace can be exploited if the environment contains maliciously crafted git metadata.

autonomous-agent-patterns