The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The file github-ecosystem-search.md contains multiple instances where variables derived from scanning untrusted code are interpolated into shell commands.
Evidence: The bash loop for name in "${DISCOVERED_NAMES[@]}"; do gh api "repos/{org}/${name}" ... done is vulnerable to command injection if ${name} contains shell metacharacters (e.g., backticks or $()).
Evidence: Templates like gh api "search/code?q=org:{org}+{package_name}+in:file" are intended to be filled with data found during a 'Signal Scan'. If {package_name} is retrieved from a malicious package.json file, it could execute arbitrary code when the agent attempts to run the command.
[EXTERNAL_DOWNLOADS] (LOW): The skill performs extensive network operations via the GitHub API to search for repositories and code.
Context: While GitHub is a trusted source, the skill's behavior of querying based on untrusted local data increases the attack surface.
[PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8).
Ingestion points: Service names, package names, and resource names are ingested from the 'starting repo' (untrusted data).
Boundary markers: None. The instructions do not define delimiters or validation steps for the discovered names before use.
Capability inventory: The skill executes shell commands (gh api, git remote) and writes files to the local filesystem (.stackshift/ecosystem-map.md).
Sanitization: Absent. There is no escaping or validation of the discovered signals before they are interpolated into shell strings or markdown files.

discover