The Agent Skills Directory

Remote Code Execution (CRITICAL): File references/core-installation.md contains instructions for installing pnpm using curl -fsSL https://get.pnpm.io/install.sh | sh - and Invoke-WebRequest https://get.pnpm.io/install.ps1 | Invoke-Expression. These patterns execute remote, unverified scripts directly in the shell.
Persistence Mechanisms (HIGH): File references/features-completion.md provides instructions to modify user shell profile files (such as ~/.bashrc and ~/.zshrc) to source completion scripts, which allows for persistent code execution in every new shell session.
Indirect Prompt Injection (HIGH): The skill is designed to process untrusted project data (e.g., package.json, pnpm-workspace.yaml, .npmrc) and possesses high-privilege execution capabilities like pnpm run, pnpm exec, and pnpm dlx. This creates a vulnerability where malicious instructions embedded in a project's metadata could influence agent behavior or execute commands.
Ingestion points: Reads package.json, pnpm-workspace.yaml, and .npmrc from the local workspace.
Boundary markers: None identified in the instructional content.
Capability inventory: Includes arbitrary command execution (pnpm run), binary execution (pnpm exec), and remote package execution (pnpm dlx).
Sanitization: No evidence of sanitization for script names or package metadata before execution.
Dynamic Execution (HIGH): Files references/features-hooks.md and references/features-finders.md describe the use of .pnpmfile.cjs, which allows for the execution of arbitrary JavaScript logic during the dependency resolution process. This mechanism can be exploited if an agent is tricked into running pnpm in a directory containing a malicious hook file.
Privilege Escalation (HIGH): File references/core-installation.md suggests using Add-MpPreference to modify Windows Defender exclusions, which requires administrative privileges and reduces the system's security posture.

pnpm