The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The workflow explicitly instructs the agent to execute a shell script using run_shell_command("~/.gemini/extensions/pickle-rick/scripts/get_session.sh").
Suspicious Path: The script is located in a hidden directory (.gemini) and belongs to an unrelated extension named 'pickle-rick'. Hardcoding paths to execute scripts from outside the skill's own directory is a strong indicator of malicious intent or dependency on side-loaded malware.
Arbitrary Code Execution: By calling a shell script that is not part of the skill's distributed files, the author can execute arbitrary commands on the user's machine if the target file exists or was dropped by a previous malicious session.
[INDIRECT_PROMPT_INJECTION] (LOW): The skill is designed to ingest and refactor codebases, creating a surface for indirect instructions to influence agent behavior.
Ingestion points: Uses codebase_investigator to read target files and map dependencies.
Boundary markers: No delimiters or instructions to ignore embedded commands within the code being refactored are present.
Capability inventory: Includes run_shell_command, activate_skill, and file modification capabilities.
Sanitization: There is no mention of escaping or validating the content of the files read from the codebase before processing.

ruthless-refactorer