The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to ingest and analyze external content which creates a significant attack surface.
Ingestion points: threat_modeler.py and security_auditor.py take <project-path> and <target-path> as inputs, reading all files within those directories.
Boundary markers: No delimiters or isolation instructions are provided to prevent the agent from obeying instructions found within the files it is auditing.
Capability inventory: The skill claims to provide 'automated fixes' (file write access) and includes commands for docker, kubectl, and npm, which provide a path to full system compromise if the agent is misled by poisoned data.
Sanitization: There is no evidence of input sanitization or validation of the content being analyzed.
Command Execution (MEDIUM): The skill defines multiple Python scripts (threat_modeler.py, security_auditor.py, pentest_automator.py) that are executed with arbitrary user-supplied options and paths. This facilitates local command execution and potentially command injection if the scripts do not properly sanitize arguments.
Credentials Unsafe (LOW): The setup instructions specifically direct the user to manage .env files (cp .env.example .env), which are high-value targets for data exposure and exfiltration if the agent is compromised via prompt injection.
External Downloads (MEDIUM): The workflow requires running npm install and pip install -r requirements.txt without specifying versions or verifying the integrity of the dependencies, which could lead to the installation of malicious packages (typosquatting or supply chain attacks).

senior-security