The Agent Skills Directory

Remote Code Execution (CRITICAL): Multiple files and automated scan reports identify the use of piped remote execution patterns (e.g., curl | bash). Documentation in .beads/README.md instructs users to install using curl -sSL https://raw.githubusercontent.com/steveyegge/beads/main/scripts/install.sh | bash. The automated scan also detected installers from Dicklesworthstone. These GitHub accounts are not in the trusted repository list, exposing users to arbitrary code execution during installation.
Command Execution (HIGH): The script scripts/automatically_detect_all_installed_coding_agents_and_install_mcp_agent_mail_in_all.sh performs intrusive operations by scanning for and modifying sensitive AI agent configuration files in the home directory (~/.claude, ~/.cursor, ~/.gemini). While intended for integration, this broad capability to modify system-level configurations poses a significant security risk.
Credentials Unsafe (HIGH): The configuration file .claude/settings.json contains a hardcoded bearer token (dc5029ac32a9f350508a565af683205cf99f25c896b07c07bc53a9517877ce8c). Hardcoding secrets in a repository is a high-risk practice that can lead to unauthorized access to the MCP server.
Indirect Prompt Injection (LOW): As a messaging server, the skill ingests untrusted text from other agents or external sources, creating a surface for indirect prompt injection. • Ingestion points: Untrusted data enters via the send_message tool and is retrieved through fetch_inbox or resource://inbox/ (seen in src/mcp_agent_mail/app.py). • Boundary markers: There are no explicit delimiters or instructions to ignore embedded commands in the tool output provided to the LLM. • Capability inventory: The server possesses broad capabilities including file system access, network communication, and execution of git subprocesses. • Sanitization: While HTML sanitization is used for the web viewer, there is no evidence of filtering or instruction-stripping for content delivered directly to the AI agent context.
Dynamic Execution (MEDIUM): Maintenance and integration scripts frequently use eval "$(uv run python ...)" to execute shell commands generated by Python logic. This increases the risk of command injection if the Python script's output is compromised.

agent-mail