The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is explicitly designed to process technical documentation (untrusted data) and has permissions to execute Bash commands and write to files. If an adversary embeds malicious instructions in the documentation files being processed (e.g., within markdown comments or metadata), the agent could be coerced into executing arbitrary commands or exfiltrating data.
Ingestion points: Uses Read and Grep to access local file content (Markdown files, existing MkDocs configurations).
Boundary markers: There are no specified delimiters or instructions to ignore embedded commands within the processed files.
Capability inventory: Read, Write, Edit, Bash, Grep. The presence of Bash and Write provides a direct path from injection to system impact.
Sanitization: No evidence of sanitization, validation, or safety-wrapping for data retrieved from the filesystem.
[Command Execution] (MEDIUM): The inclusion of the Bash tool in allowed-tools provides a powerful mechanism for system interaction. Given the skill's auto-activation on keywords related to documentation, an attacker could potentially trigger the skill and control the resulting shell commands by providing malformed or malicious documentation content.

mkdocs-config-generator