The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The script scripts/verify-json.sh is vulnerable to command injection via its filename argument.
Evidence: The script executes the following command: python3 -c "import json; json.load(open('$FILE'))". Because the shell variable $FILE is interpolated directly into the Python command string within single quotes, a filename containing a single quote followed by Python commands (e.g., test.json';import os;os.system('id');#) will trigger arbitrary code execution. This is a critical risk if the agent is tasked with verifying files originating from untrusted sources, such as external downloads or pull requests.
PROMPT_INJECTION (LOW): The skill introduces an attack surface for indirect prompt injection through its metadata parsing logic.
Ingestion points: scripts/validate-prompt.sh and reference files parse Markdown files to extract versioning and hash metadata.
Boundary markers (absent): Metadata is extracted from HTML comments () which are not cryptographically isolated from the file content and can be easily spoofed.
Capability inventory: The skill's primary purpose is to grant the agent the capability to execute shell commands and scripts to perform deterministic verification.
Sanitization (absent): The lack of filename sanitization or robust metadata validation increases the risk of path traversal or injection when the agent is directed to process files provided by external actors.

determinism