The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts fetch_github_info.py and import_github_skill.py execute system commands such as git ls-remote and git clone using URLs provided by the user. Although these are executed as lists (preventing shell injection), interacting with arbitrary external repositories via system binaries remains a security concern.- [EXTERNAL_DOWNLOADS]: The skill is designed to fetch content from arbitrary GitHub repositories via the GitHub API and raw content domains (raw.githubusercontent.com). This allows the agent to download untrusted data and code from the internet into the local file system.- [REMOTE_CODE_EXECUTION]: By downloading entire third-party repositories and generating execution templates (like wrapper.py), the skill facilitates the preparation and potential execution of remote code. If the agent implements the logic as suggested in the generated 'TODO' blocks, it may inadvertently execute malicious code fetched from a compromised repository.- [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because it processes untrusted data from external repositories.
Ingestion points: fetch_github_info.py reads the README.md from remote repositories, and import_github_skill.py downloads all repository contents.
Boundary markers: The skill does not implement boundary markers or instructions to 'ignore embedded commands' when it interpolates fetched README content into the new SKILL.md file.
Capability inventory: Across its scripts, the skill has the capability to write to the file system, make network requests (urllib), and execute system commands (subprocess.run).
Sanitization: No sanitization or validation is performed on the content of the downloaded files or the text extracted from READMEs before they are used to define the behavior of the newly created skill.

skill-factory