The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): The DispatcherMiddleware in references/examples.md performs dynamic method calls on objects retrieved from the dependency injection container using request attributes.
Evidence: The code retrieves _controller and _action from $request->getAttribute() and then executes $instance->$action($request).
Risk: If the routing system or any previous middleware allows user input to influence these attributes (e.g., via URI segments or query parameters), an attacker could execute arbitrary methods on any class available in the service container, leading to a complete system compromise.
[COMMAND_EXECUTION] (MEDIUM): The RateLimitMiddleware in references/templates.md implements a flawed client identification logic.
Evidence: The getClientIp method prioritizes the HTTP_X_FORWARDED_FOR header over the actual connection remote address.
Risk: Since the X-Forwarded-For header is client-controlled and untrusted unless the server is behind a verified proxy, attackers can spoof their IP address to bypass rate limits, facilitating brute-force attacks or resource exhaustion.
[DATA_EXFILTRATION] (LOW): The SessionMiddleware in references/templates.md generates session cookies that are missing the Secure attribute.
Evidence: The cookie string is formatted as HttpOnly; SameSite=Lax but does not include the Secure flag.
Risk: Without the Secure flag, the session cookie can be sent over unencrypted HTTP connections, increasing the risk of session hijacking via packet sniffing in man-in-the-middle (MITM) scenarios.

acc-create-psr15-middleware