The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The file functions/skill_generator.py is vulnerable to injection attacks because it uses raw f-strings to construct skill files from untrusted user input.
Ingestion points: The description and triggers parameters in the generate_skill_structure function are directly interpolated into the file content.
Boundary markers: Absent. There are no delimiters or escaping mechanisms to prevent user input from breaking out of YAML frontmatter or Markdown body fields.
Capability inventory: Resulting skills are granted high-privilege tools including Bash, Write, and Edit by default.
Sanitization: Validation only exists for the skill_name field (via regex); the description and triggers inputs are inserted raw, allowing an attacker to inject YAML delimiters (---) and override tool permissions or instructions.
[Command Execution] (MEDIUM): The example-feature-generator.md skill and the generator's default tool list include Bash, Write, and Edit. These tools allow the agent to execute shell commands and modify the filesystem. In the context of the injection vulnerability, this provides a direct path for executing arbitrary code or persisting malicious scripts.
[Metadata Poisoning] (LOW): The generation process allows users to specify unvalidated descriptions and version numbers, which can be used to disguise the purpose of a generated skill or impersonate legitimate tools.

nav-skill-creator