The Agent Skills Directory

[COMMAND_EXECUTION]: The 'verify-skill.md' workflow extracts CLI tool names from other skill files and executes them using 'which {tool}' and '{tool} --version'. This presents a command injection vulnerability because the tool names are derived from untrusted source data and are not sanitized before being incorporated into shell commands.
[COMMAND_EXECUTION]: The 'references/api-security.md' file provides implementation examples for a credential wrapper script that uses 'eval' on variables built from user-supplied service and profile names. This pattern is inherently dangerous and can lead to arbitrary command execution if the input parameters contain shell metacharacters.
[EXTERNAL_DOWNLOADS]: The skill documentation encourages the installation of various third-party software packages from public registries like PyPI and npm (e.g., 'pypdf', 'pdfplumber', 'docx-js', 'vercel') to support skill functionality.
[PROMPT_INJECTION]: The 'audit-skill.md' and 'verify-skill.md' workflows create an indirect prompt injection surface by reading and acting upon content from external, untrusted skill files. * Ingestion points: Ingests file content via 'cat' in 'workflows/audit-skill.md' and 'workflows/verify-skill.md'. * Boundary markers: None identified in the processing logic for analyzed files. * Capability inventory: Includes capabilities for file system access ('ls', 'cat'), script execution ('chmod +x'), and shell command execution ('which', '{tool} --version'). * Sanitization: No validation or sanitization is mentioned for data extracted from skills and used in subsequent operations.

create-skill