The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is vulnerable to indirect prompt injection because agents like code-reviewer, debugger, and test-runner ingest untrusted data (source code, stack traces, and test files) from the local filesystem using the Read tool. There are no boundary markers or explicit instructions to ignore embedded commands in the processed data. This ingestion surface is paired with HIGH-tier capabilities including the Bash tool for command execution and the Edit tool for file modification, enabling an attacker to trigger malicious side effects through instructions hidden in code comments or documentation.
Data Exposure & Exfiltration (HIGH): The debugger.md agent includes instructions to use tcpdump for network investigation. This utility can capture sensitive unencrypted traffic, including credentials, tokens, or private data, which could lead to accidental exposure or intentional exfiltration if redirected.
Command Execution (MEDIUM): The test-runner.md and build-verifier.md agents are designed to execute local scripts and build processes (e.g., npm test, npm run build, pytest). These commands rely on configuration files (package.json, requirements.txt) that may be controlled by an untrusted party if the agent is tasked with reviewing or testing an external repository or pull request.

developer-toolbox