The Agent Skills Directory

Unverifiable Dependencies (MEDIUM): The skill instructs the agent to execute cargo install wasm-pack. Installing packages from crates.io at runtime without specific version pinning can expose the environment to dependency confusion or malicious package versions.
Dynamic Execution (MEDIUM): The skill automates the compilation of Rust source code into WASM binaries using cargo and rustup. Running a compiler on potentially modified or community-sourced code is a form of dynamic execution that could be exploited to execute arbitrary code on the host system.
Indirect Prompt Injection (LOW): The skill's primary workflow involves searching GitHub for community layouts, plugins, and discussions. Ingesting this untrusted content into the LLM context (especially READMEs and KDL comments) creates a surface for indirect prompt injection.
Ingestion points: GitHub search results (READMEs, .kdl files, Issue/PR descriptions).
Boundary markers: Absent; no instructions are provided to delimit external content or ignore embedded commands.
Capability inventory: The skill can execute shell commands via cargo, rustup, and write files to the user's configuration directory.
Sanitization: Absent; the skill extracts patterns directly from community content without validation.
Data Exposure (LOW): The skill explicitly targets and checks the directory /home/delorenj/.config/zellij/. While this is functional for the intended purpose, hardcoding specific user home paths can lead to unintended exposure of local system structure.

Zellij Specialist