The Agent Skills Directory

[Prompt Injection] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) because it processes untrusted content from external repositories. 1. Ingestion points: Content is read from README.md, docs/, and wiki/ folders within the cloned repository. 2. Boundary markers: There are no instructions or delimiters defined to prevent the agent from following instructions found within the repository's documentation. 3. Capability inventory: The agent can execute git commands and write files to the local skills/ directory and AGENTS.md file. 4. Sanitization: No sanitization is performed on the ingested text before it is used to generate new skill files.
[Command Execution] (LOW): The skill uses shell commands (git clone, git submodule add) with user-supplied repository URLs. Although the skill suggests validation, the security relies on the underlying agent's ability to safely handle shell arguments.
[External Downloads] (LOW): The skill's primary function involves downloading data from external URLs, which is a necessary but inherent risk if the source repository is malicious.

create-skill-from-repo