The Agent Skills Directory

[COMMAND_EXECUTION]: The script assets/nmap_scan_template.sh is vulnerable to arbitrary command injection. It constructs a command string NMAP_COMMAND using multiple variables derived from user-provided command-line arguments (such as TARGET and OPTARG) and then executes this string using the eval command. An attacker could provide a target like 127.0.0.1; rm -rf / to execute unintended commands on the host system.
[PROMPT_INJECTION]: The skill facilitates an indirect prompt injection attack surface by instructing the agent to parse and act upon data retrieved from external security scanners.
Ingestion points: The agent reads outputs from tools like Semgrep (security-results.json), Gitleaks (secrets-report.json), and dependency auditors (npm audit, pip-audit). These outputs can contain data sourced from scanned applications (e.g., page titles, headers, or metadata) that may be controlled by an attacker.
Boundary markers: None. The instructions do not define delimiters or provide specific prompts to the agent to disregard instructions embedded within the ingested data files.
Capability inventory: The skill is granted access to several powerful tools including Bash(test:security-*), Write, and Edit, which could be leveraged if an injected payload successfully influences the agent's behavior.
Sanitization: None. There are no requirements or steps described for validating or sanitizing the content of scan reports before the agent processes them.

performing-security-testing