The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/select-models.cjs is vulnerable to shell command injection. It uses the execSync function to run opencode models "${provider}", where the provider and sub-provider variables are taken directly from CLI arguments without sanitization. Since these arguments are populated from user input via the agent's interactive selection tool (which includes a "Type your own answer" option), an attacker can execute arbitrary system commands by injecting shell metacharacters such as ;, &, |, or backticks.
[PROMPT_INJECTION]: The skill presents an indirect prompt injection surface. 1. Ingestion points: User responses are collected through the question tool as specified in SKILL.md (Steps 2, 4, and 5). 2. Boundary markers: None; the skill does not use delimiters or instructions to prevent the agent from obeying instructions embedded in user-supplied strings. 3. Capability inventory: The skill can execute system commands via its bundled Node.js script. 4. Sanitization: No input validation or shell-escaping is performed before the user-supplied strings are interpolated into system commands.

gsd-oc-select-model