The Agent Skills Directory

[COMMAND_EXECUTION]: The skill constructs //go:generate directives by interpolating the interface_names parameter directly into a shell command template (mockery --name=<InterfaceName> --with-expecter=true). The lack of validation or sanitization on this parameter allows for command injection (e.g., using command separators like ; or && in the interface name). These injected commands would be executed in the user's shell environment when they follow the skill's instructions to run go generate ./....\n- [INDIRECT_PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection by ingesting untrusted data from the interface_names parameter and interpolating it into sensitive source code contexts (executable directives) without sanitization.\n
Ingestion points: interface_names parameter defined in reference.md.\n
Boundary markers: None (absent). The skill performs direct string interpolation into the //go:generate comment block without delimiters or safety instructions.\n
Capability inventory: The skill modifies Go source files and outputs recursive shell commands (go generate ./...) for the user to execute.\n
Sanitization: None (absent). There is no logic described to escape or validate the contents of the interface_names list for shell control characters.\n- [DYNAMIC_EXECUTION]: The skill generates executable content (shell commands embedded in Go comments) at runtime based on external input. This assembled code is then intended for execution via the Go toolchain, creating a pathway for arbitrary code execution if the input is manipulated.

mockery-generate