The Agent Skills Directory

[NO_CODE] (MEDIUM): The skill instructions direct the agent to execute a Python script (fetch_worldbank.py) that is missing from the provided source. This prevents a full security audit of the actual data-fetching logic and any potential side effects.\n- [COMMAND_EXECUTION] (LOW): The skill is designed to run shell commands (python3 fetch_worldbank.py ...). While standard for such tools, it represents a capability that could be abused if the script were maliciously modified or if the arguments were susceptible to injection.\n- [EXTERNAL_DOWNLOADS] (INFO): The skill intends to communicate with the World Bank API. While a trusted source, any network communication should be monitored for potential data exfiltration.\n- [PROMPT_INJECTION] (INFO): The skill possesses an Indirect Prompt Injection surface (Category 8). Ingestion points: Data entering via the World Bank API. Boundary markers: None provided in the metadata or instructions. Capability inventory: Local script execution via subprocess and data display/export. Sanitization: Cannot be verified due to missing source code. Risk is minimal for statistical data but the architectural surface is present.

stat-data-fetcher