The Agent Skills Directory

Remote Code Execution (HIGH): The MCPAgent.create_tool function in sub-skills/61-mcp-server-pattern.md implements a dangerous pattern where Python code is generated by an LLM, written to a local file, and then executed via the connect_server method. This allows an attacker to achieve arbitrary code execution if they can influence the agent's task via indirect prompt injection.\n- Command Execution (HIGH): The SandboxedExecution class in sub-skills/33-sandboxing.md uses subprocess.run(command, shell=True) with a validation logic that only checks the first word of the command string against a whitelist. This is trivial to bypass using command chaining characters like ;, &&, or | to execute arbitrary shell commands outside the intended whitelist.\n- Data Exfiltration (HIGH): The ReadFileTool and EditFileTool in sub-skills/21-tool-schema.md and sub-skills/23-edit-tool-design.md allow the agent to read and modify any file on the system using absolute paths. When combined with the AUTO permission level suggested in sub-skills/31-permission-levels.md, this creates a high risk of sensitive data exposure (e.g., SSH keys, credentials) without user oversight.\n- Indirect Prompt Injection (LOW): Multiple components ingest untrusted external data which could lead to prompt injection attacks. \n
Ingestion points: ContextManager.add_url (via requests.get) and BrowserTool.get_page_content (via Playwright).\n
Boundary markers: None identified; external content is interpolated directly into prompts.\n
Capability inventory: File writing, shell command execution, and dynamic code generation.\n
Sanitization: None; external HTML/text is converted or used directly.

autonomous-agent-patterns