The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill executes the gemini bash command using string interpolation for search prompts: gemini -m gemini-2.5-flash -p "...your search prompt...". If the prompt content (derived from user or research input) contains double quotes or shell metacharacters, it could lead to arbitrary command injection on the host system.- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8). It possesses the critical combination of untrusted data ingestion and high-privilege capabilities. Evidence: 1. Ingestion points: Data enters the context via WebSearch and docs-seeker (reading external GitHub repositories). 2. Boundary markers: Absent; there are no delimiters or system instructions to ignore embedded commands in the researched text. 3. Capability inventory: The skill can execute shell commands and write files to the disk. 4. Sanitization: None; external content is directly processed and summarized into reports that include executable code blocks.- [DATA_EXPOSURE] (MEDIUM): The skill is vulnerable to Path Traversal. It writes reports to ./plans/<plan-name>/reports/YYMMDD-<your-research-topic>.md using variables that are not validated. An attacker could provide a <plan-name> like ../../etc/ to attempt to overwrite system configuration files or exfiltrate data by writing it to a known public directory.

research