The Agent Skills Directory

EXTERNAL_DOWNLOADS (HIGH): The 'find-skills' skill allows the agent to discover and install external packages from unverified repositories. Evidence: .agents/skills/find-skills/SKILL.md explicitly directs the agent to offer installation of third-party packages using npx skills add <package> -g -y. The use of the '-y' flag to bypass confirmation is a high-risk pattern.
REMOTE_CODE_EXECUTION (HIGH): By facilitating the installation of arbitrary code from external GitHub repositories, the system is vulnerable to Remote Code Execution if an attacker provides a malicious skill package.
COMMAND_EXECUTION (MEDIUM): The skill pack contains multiple utility scripts and documentation examples that execute shell commands on the host system. Evidence: Python scripts in .agents/skills/skill-creator/scripts/ manage file packaging, and .agents/skills/cicd-testing-integration/SKILL.md includes shell command templates for pipeline automation.
PROMPT_INJECTION (LOW): The skill is designed to process untrusted data from user stories and defect reports, making it a target for indirect prompt injection. Evidence Chain for Category 8: 1. Ingestion points: user-story-verifier/SKILL.md (requirement analysis) and defect-lifecycle-manager/SKILL.md (bug logging). 2. Boundary markers: No delimiters or instructions to ignore embedded commands are present in the analysis prompts. 3. Capability inventory: The orchestrator can trigger the find-skills and skill-creator tools which have significant system permissions. 4. Sanitization: There is no validation or sanitization logic for ingested text.

senior-qa-engineer