The Agent Skills Directory

[COMMAND_EXECUTION]: Path traversal vulnerabilities exist in several commands. In commands/read.ts, the read command joins the documentation root with user-provided input without validation, allowing access to files outside the intended directory via .. sequences. In commands/create.ts, the createIssue and createPR functions use user-supplied category and description strings to construct directory paths and filenames, which permits arbitrary file creation outside the target docs/ folder if malicious paths are provided.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its document processing workflow.
Ingestion points: File content is ingested from the docs/ directory into the agent's context via commands/read.ts, commands/search.ts, and commands/list.ts.
Boundary markers: Absent; the skill outputs the raw, unsanitized content of markdown files directly to the agent without delimiters or instructions to ignore embedded commands.
Capability inventory: The skill possesses significant file system capabilities, including directory creation (mkdir), file writing (writeFile), and file reading (readFile).
Sanitization: Absent; no validation or filtering of markdown content is performed to prevent the execution of embedded instructions, and path inputs are not sanitized to prevent traversal.

workhub