The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill uses uvx skilllint@latest to download and execute the skilllint package at runtime. Executing unverified packages from a remote registry without version pinning allows for potential arbitrary code execution.
[COMMAND_EXECUTION]: The skill performs shell commands including uvx and grep to analyze and validate skills. This involves running commands with arguments derived from user input or file content.
[EXTERNAL_DOWNLOADS]: The use of uvx triggers downloads from the Python Package Index (PyPI) to fetch the skilllint utility at execution time.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes the full content of external SKILL.md and reference files. These files could contain malicious instructions designed to subvert the refactoring process or inject payloads into the newly created skills.
Ingestion points: Reads all lines of the target SKILL.md and all files in its references/ subdirectory (Phase 1).
Boundary markers: The instructions do not define delimiters or specific 'ignore embedded instructions' warnings for the ingested content.
Capability inventory: The skill has the ability to read, write, and move files, as well as execute shell commands (uvx, grep).
Sanitization: There is no mention of sanitizing or validating the content extracted from external files before it is used to generate new skill definitions or written back to the file system.

refactor-skill