The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses Bash to run the infsh CLI and interpolates variables containing untrusted external data (such as search results from Tavily or Exa) directly into command arguments. In multiple examples throughout SKILL.md, variables like $SEARCH_RESULT and $SEARCH are placed inside double-quoted shell strings: --input "{... $SEARCH_RESULT ...}". If the external search result contains shell metacharacters like backticks, $(...), or semicolons, it could lead to arbitrary command execution on the host system.
[REMOTE_CODE_EXECUTION]: Because the command injection vulnerability can be triggered by content fetched from the public web via search tools, an attacker could host malicious content designed to execute remote scripts (e.g., using curl | bash) when processed by this skill.
[PROMPT_INJECTION]: The skill exhibits a significant surface for Indirect Prompt Injection. * Ingestion points: Untrusted data enters the agent context via the $SEARCH, $SEARCH_RESULT, $TAVILY, $EXA, and $CONTENT variables derived from external web tools. * Boundary markers: There are no boundary markers or delimiters used to separate the external context from the system instructions. * Capability inventory: The skill has access to Bash(infsh *), which can be used to run various platform apps and potentially access other tools. * Sanitization: No sanitization, escaping, or validation of the retrieved web content is performed before it is interpolated into prompts or shell commands.

ai-rag-pipeline