The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/generate_report.py implements a generate_script method that assembles shell scripts from template strings and applies executable permissions using chmod(0o755). This facilitates the dynamic creation and preparation of executable code at runtime.\n- [DATA_EXFILTRATION]: The scripts/analyze_headers.py script performs recursive directory traversal and file metadata collection (rglob('*')) on a target path. This functionality is inconsistent with its stated purpose of HTTP header analysis and could be used to expose the structure and contents of the local file system to the agent.\n- [PROMPT_INJECTION]: scripts/analyze_headers.py contains deceptive docstrings and command-line help text that claim the script uses requests and beautifulsoup4 for web analysis, whereas the implementation is strictly for file system analysis. This discrepancy can mislead an agent into executing file system operations under the impression it is performing web audits.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it fetches data from external domains via WebFetch and utilizes that data to generate reports or scripts. The absence of boundary markers or sanitization logic in SKILL.md means malicious headers from a target site could influence the content of generated shell scripts. (Ingestion point: WebFetch in SKILL.md; Boundary markers: Absent; Capability: Script generation in generate_report.py; Sanitization: Absent).

analyzing-security-headers