The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The core functionality of the skill involves spawning subprocesses using the StdioClientTransport class in scripts/mcp-client.ts. It executes arbitrary commands and arguments fetched from the .claude/.mcp.json configuration file. This capability, while necessary for the skill's primary purpose, allows for local command execution which could be exploited if the configuration file is compromised or contains malicious entries.
[EXTERNAL_DOWNLOADS] (LOW): The README and SKILL.md documentation suggest installing several external Node.js packages via npm and npx, including gemini-cli and various MCP servers from the @modelcontextprotocol scope. This introduces dependencies on external registries and third-party code execution at runtime.
[PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection via the data it processes from MCP servers. 1. Ingestion points: Data enters the agent context through scripts/mcp-client.ts via the listTools, getAllPrompts, getAllResources, and callTool methods. 2. Boundary markers: The skill documentation recommends using a GEMINI.md file to enforce structured JSON responses, which serves as a partial boundary, though it lacks explicit 'ignore embedded instructions' warnings for raw tool output. 3. Capability inventory: The skill has the ability to spawn subprocesses (MCP servers) and read/write local files (assets/tools.json). 4. Sanitization: There is no evidence of sanitization or escaping of external content before it is interpolated into prompts or used in the subagent architecture.

mcp-management