The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides a PHP implementation for a logging utility that applies insecure file system permissions.
Evidence: In Step 6, the log_debug function uses mkdir($logdir, 0777, true); to create a directory for log files.
Risk: Creating directories with 0777 (world-writable) permissions allows any user on the operating system to read, write, or delete files within that directory. This is particularly risky in shared server environments as it may lead to the exposure of sensitive debugging data such as SQL queries and execution traces.
[PROMPT_INJECTION]: The skill guides the creation of endpoints that ingest untrusted data from external sources, presenting an indirect injection vulnerability surface.
Ingestion points: Untrusted data enters the application through the execute_parameters() method in class implementations like your_api_name.php.
Boundary markers: The guidance suggests using Moodle's validate_parameters() function to delimit and validate inputs.
Capability inventory: The skill demonstrates database write/read operations ($DB->insert_record, $DB->get_records_sql), file system manipulation (mkdir, file_put_contents), and course management capabilities.
Sanitization: The tutorial utilizes Moodle's built-in PARAM_* validation system, although it explicitly references PARAM_RAW which bypasses standard cleaning and requires additional care to prevent secondary vulnerabilities.

moodle-external-api-development