The Agent Skills Directory

[COMMAND_EXECUTION]: The UploadedFile class template in references/templates.md utilizes mkdir($dir, 0777, true) for directory creation. The 0777 permission set allows all users on the system full read, write, and execute access to the created directories, which is an insecure default configuration.\n- [COMMAND_EXECUTION]: A code example in references/examples.md is vulnerable to path traversal because it constructs a target file path by concatenating a base directory with getClientFilename(). Since this filename is provided by the client and is not sanitized, an attacker could use directory traversal sequences (e.g., ../) to write files to arbitrary locations.\n- [CREDENTIALS_UNSAFE]: The example code in references/examples.md includes a hardcoded placeholder credential Authorization: Bearer token123.\n- [SAFE]: The ServerRequest template ingests untrusted data from PHP globals (e.g., $_SERVER, $_GET, $_POST) without internal sanitization. While this is typical for PSR-7 implementations, it requires developers to be cautious of indirect prompt injection and data manipulation when using the generated objects.

create-psr7-http-message