The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing untrusted data from external websites. Ingestion points: The skill reads page.snapshot and page.networkRequests from a diagnostic.json file generated by the opencli tool (Step 1). Boundary markers: The instructions lack delimiters or warnings to ignore embedded commands within the website content. Capability inventory: The skill has Edit permissions to modify local files and Bash permissions to execute commands (Step 4 and 5). Sanitization: No validation or sanitization of the website content is performed before the AI uses it to decide on code patches.
[REMOTE_CODE_EXECUTION]: The skill implements a pattern of script generation and execution based on external input. It instructs the agent to analyze failure data from an external site, generate a patch for a TypeScript file at a path provided in the diagnostic data (RepairContext.adapter.sourcePath), and then run the modified file using opencli. This allows a malicious website to indirectly influence executable code on the local system.
[COMMAND_EXECUTION]: The skill uses shell tools like cat, sed, and opencli with arguments derived from potentially untrusted tool output. Specifically, the path used in cat <RepairContext.adapter.sourcePath> is not validated, which could lead to arbitrary file read or write if the diagnostic data is manipulated.

opencli-autofix