The Agent Skills Directory

[COMMAND_EXECUTION]: The script terminal_cli.sh uses bash -c "$COMMAND" to execute the string provided in the command parameter. There is no validation, filtering, or restricted shell environment applied to this input. This allows the execution of any command the host user is permitted to run, including destructive commands like rm -rf or system configuration changes.
[DATA_EXFILTRATION]: Because the skill permits arbitrary shell access, it can be used to read sensitive configuration files (such as ~/.ssh/id_rsa, .env files, or cloud provider credentials in ~/.aws/credentials) and transmit them to external servers using pre-installed tools like curl, wget, or nc.
[REMOTE_CODE_EXECUTION]: The skill facilitates the execution of arbitrary code strings at runtime. An attacker who can influence the input to this skill can achieve full code execution on the system where the agent is running.
[INDIRECT_PROMPT_INJECTION]: The skill represents a high-capability attack surface for indirect injections. If the agent processes untrusted data (e.g., summarizing a webpage that contains a malicious terminal command), it might be tricked into executing that command using this skill.
Ingestion points: The command parameter in SKILL.md accepts arbitrary strings from the agent's context.
Boundary markers: No boundary markers or instructions to ignore embedded commands are present in the skill definition.
Capability inventory: Full shell execution via bash -c in terminal_cli.sh.
Sanitization: No sanitization or validation is performed on the input string before execution.

terminal