The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The query.py script uses pickle.load() to deserialize the BM25 keyword index from the .vectordb directory. The pickle module is inherently insecure as it can be used to execute arbitrary code during deserialization if a malicious file is provided. An attacker who manages to place a crafted pickle file in the repository's database directory could achieve code execution when the skill is used.
[COMMAND_EXECUTION]: The skill uses subprocess.run() in query.py to execute the git rev-parse --show-toplevel command. This is used for automatic detection of the repository root directory when no database path is explicitly provided.
[PROMPT_INJECTION]: The skill has a surface for indirect prompt injection as it processes and retrieves content from external, untrusted documents.
Ingestion points: The ingest.py script extracts text from Markdown, PDF, Word, and Excel files within the user's repository.
Boundary markers: Chunks are prepended with basic metadata (titles and heading hierarchies), but do not include robust security delimiters or instructions to ignore embedded commands.
Capability inventory: The skill can read arbitrary local files and execute specific shell commands, which could be exploited if an agent follows instructions found within indexed documents.
Sanitization: No sanitization or safety filtering is applied to the extracted text content before it is provided to the agent.
[EXTERNAL_DOWNLOADS]: The install.sh and setup.sh scripts facilitate the installation of necessary Python dependencies from the official Python Package Index (PyPI) to create the skill's runtime environment.

repo-search