The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is designed to execute arbitrary CLI commands (e.g., codex, npm run dev, claude) using tmux sessions and a tool named interactive_shell. This provides an expansive attack surface if the commands are not strictly validated.
[REMOTE_CODE_EXECUTION]: In index.ts, the buildCommand function constructs shell commands using string interpolation. It only performs basic escaping of double quotes (prompt.replace(/"/g, '\"')). This is insufficient to prevent command injection, as other shell-active characters such as backticks (`), command substitution ($()), and logical operators (;, &&, ||) are not sanitized, potentially allowing an attacker to execute arbitrary code on the host system.
[CREDENTIALS_UNSAFE]: The index.ts file contains hardcoded absolute paths specific to a user profile (/Users/dengwenyu/.pi/agent). While intended for path blacklisting, the inclusion of specific local username paths can reveal information about the internal environment and structure.
[INDIRECT_PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes an untrusted prompt field and executes it within a shell context.
Ingestion points: The prompt property in the CodingRequest object within index.ts is the primary entry point for untrusted data.
Boundary markers: The skill uses double quotes to wrap the prompt, but these are easily escaped due to weak sanitization.
Capability inventory: The skill has the capability to execute shell commands via interactive_shell and manage long-running background processes via tmux sockets (/tmp/pi-tmux-sockets/pi.sock).
Sanitization: Sanitization is limited to escaping double quotes, which does not protect against other common shell injection vectors.

coding-runner