The Agent Skills Directory

DATA_EXFILTRATION (HIGH): The reference documentation in references/resources.md and references/tools.md provides implementation patterns for file reading tools (read_file) and resources (files://{path*}) that use Path(path).read_text() without any path sanitization or validation. This allows an agent to perform path traversal and read sensitive system files (e.g., SSH keys, configuration files, or credentials) if the agent is prompted to do so.
REMOTE_CODE_EXECUTION (MEDIUM): The references/composition.md file contains a "Plugin Architecture" example that uses importlib.util to dynamically load and execute Python modules using spec.loader.exec_module(module). This facilitates the execution of arbitrary code if an attacker can place files in the designated plugin directory.
COMMAND_EXECUTION (MEDIUM): The composition reference documentation describes a configuration pattern for launching MCP servers as subprocesses using shell commands (e.g., python ./db_server.py). This establishes a command execution surface that could be exploited if configuration sources are not strictly controlled.
PROMPT_INJECTION (LOW): Several examples, such as summarize_text in examples/basic_server.py, interpolate untrusted user input directly into LLM prompts (e.g., f"Summarize the following text... {text}") without using boundary markers, XML tags, or explicit instructions to ignore embedded commands, making the skill vulnerable to indirect prompt injection.
Ingestion points: text parameter in summarize_text and topic in explain_topic in examples/basic_server.py.
Boundary markers: Absent in all prompt templates.
Capability inventory: Subprocess execution, file reading, and network requests via httpx (as shown in references).
Sanitization: No input validation or escaping is present in the provided examples.

FastMCP Development