The Agent Skills Directory

[COMMAND_EXECUTION]: The client script scripts/mcp_client.py implements a stdio transport that spawns local subprocesses based on commands and arguments specified in configuration files (mcp-config.json, .mcp.json, or ~/.claude.json). This allows the execution of arbitrary local binaries. Additionally, the provided configuration examples utilize npx to download and run server packages at runtime, introducing a dependency on external package registries.
[REMOTE_CODE_EXECUTION]: Documentation in SKILL.md and references/mcp-servers.md highlights the browser_run_code tool for the Playwright server, which allows for the execution of arbitrary JavaScript code within a browser. This constitutes a dynamic execution surface that could be used to run malicious logic if derived from untrusted inputs.
[EXTERNAL_DOWNLOADS]: The skill supports sse and streamable_http transports, enabling connections to arbitrary remote URLs defined in the server configuration. This facilitates outbound network communication to potentially untrusted third-party endpoints.
[PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection. It is designed to ingest and process data from external, potentially untrusted sources (such as web pages navigated via Playwright or remote files via the Filesystem server) and possesses high-impact capabilities like command execution and file modification. Malicious instructions embedded in the processed data could potentially manipulate the agent's behavior in subsequent tool calls.
Ingestion points: browser_navigate (Playwright), read_file (Filesystem server).
Boundary markers: None identified in the provided implementation.
Capability inventory: Local command execution (stdio transport), network communication (sse/http transports), and filesystem access (via configured servers).
Sanitization: No content validation or sanitization is performed on data retrieved from external servers before it is returned to the agent context.

mcp-client