The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (MEDIUM): The 'execute_agent_code' tool defined in tools.md allows for the execution of arbitrary JavaScript/TypeScript code provided in the 'code' parameter. This represents a Category 10 (Dynamic Execution) risk. Although the documentation notes that this is only available if a WASM sandbox is enabled, the presence of a code execution engine within the skill's toolset is a significant capability that could be targeted for exploitation.
[EXTERNAL_DOWNLOADS] (LOW): The configuration and validation documentation (configuration.md, validation.md) suggests running 'npx -y @modelcontextprotocol/inspector'. This constitutes a Category 4 (Unverifiable Dependencies) finding as it downloads and executes remote code from a public registry. The severity is reduced to LOW because the package is an official tool from a trusted organization (Model Context Protocol).
[COMMAND_EXECUTION] (LOW): The troubleshooting.md file provides instructions for manual binary execution and modification of file permissions ('chmod +x'). While standard for local development, these instructions involve manual shell interaction.
[PROMPT_INJECTION] (LOW): This finding identifies an Indirect Prompt Injection surface (Category 8). Evidence Chain: 1. Ingestion: The 'query_memory' tool (tools.md) retrieves data from external databases (SQLite/Turso). 2. Boundary markers: No delimiters or ignore-instructions are specified for the retrieved database content. 3. Capability: The skill possesses the 'execute_agent_code' capability which could be triggered by injected instructions. 4. Sanitization: No explicit sanitization or validation of the retrieved memory content is described.

memory-mcp