The Agent Skills Directory

[REMOTE_CODE_EXECUTION]:
scripts/execute_chain.js: Uses the Function constructor to evaluate JavaScript expressions dynamically assembled from templates within the evaluateCondition method. This allows for arbitrary code execution if the source chain definition is untrusted or compromised.
[COMMAND_EXECUTION]:
assets/scheduler-cron.sh: Programmatically modifies the user's system crontab using crontab -l and crontab - to install or uninstall scheduled tasks. This creates system-level persistence that persists beyond the skill's execution session.
scripts/assign_codex.js: Implements an execution path that explicitly uses the --dangerously-bypass-approvals-and-sandbox flag when invoking the external Codex CLI. This intentionally removes security boundaries and approval requirements intended to protect the host system.
scripts/assign_codex.js: Constructs shell commands by interpolating Base64-encoded prompts into a command string executed via execSync, which can be a vector for shell injection if inputs are not strictly validated.
[PROMPT_INJECTION]:
The skill has a significant attack surface for Indirect Prompt Injection. It ingests untrusted user requests (via detect_mode.js and analyze_request.md) and uses them to generate executable code, agent task specifications, and documentation.
Ingestion points: detect_mode.js (--request argument), analyze_request.md (user input text).
Boundary markers: No explicit markers or "ignore embedded instructions" warnings are applied to the user-provided data before it is processed by the generation agents.
Capability inventory: The skill possesses the Bash, Write, Edit, and Task tools, allowing it to execute arbitrary shell commands and write files based on generated content.
Sanitization: The skill lacks rigorous sanitization of external content before it is interpolated into templates for code or prompt generation.

skill-creator