The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is designed to run arbitrary shell commands defined in the run field of the input verification-spec. This allows for the execution of any command available in the agent's environment, such as npm or grep, which can be abused to perform unauthorized actions if the input is malicious.
[DATA_EXFILTRATION]: The skill instructions require the agent to report evidence for every check, which includes stdout/stderr from commands and snippets of code from the filesystem. If a malicious specification is processed, this reporting mechanism can be used to exfiltrate sensitive data like credentials, environment variables, or private source code back to the requester.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by processing structured task definitions from the agent's context.
Ingestion points: The verification-spec XML-like block provided as input to the skill.
Boundary markers: While the skill uses XML-like tags to identify the specification block, it lacks instructions to treat the content as data only or to disregard any embedded instructions that might attempt to override behavior.
Capability inventory: The skill has access to shell command execution, file system read access, and the ability to perform semantic reviews of code through agent judgment.
Sanitization: There is no evidence of sanitization, escaping, or validation of the commands, file paths, or patterns provided in the input specification.

verifier