The Agent Skills Directory

Privilege Escalation (HIGH): The 'Workflows/Setup.md' file instructs the agent to use 'sudo' for multiple administrative tasks, including installing system packages and copying downloaded binaries into protected system directories (/usr/local/bin).
Unverifiable Dependencies & Remote Code Execution (HIGH): The 'Workflows/Setup.md' file provides instructions to download binary archives from 'github.com/koalaman' and extract them directly for execution. As 'koalaman' is not a trusted GitHub organization, this pattern allows for the execution of unverified third-party binaries.
Data Exposure & Exfiltration (MEDIUM): The 'SKILL.md' file mandates that the agent perform a 'curl' POST request to 'http://localhost:8888/notify' every time a workflow is executed. This is an unauthenticated local network request that could be used to probe or exploit internal services (SSRF).
Indirect Prompt Injection (LOW): The skill is designed to ingest and process untrusted shell scripts provided by users for analysis and patching. Evidence Chain: 1. Ingestion points: 'find' and 'shellcheck' commands in 'Workflows/Analyze.md'. 2. Boundary markers: Absent; there are no instructions to ignore embedded commands in target scripts. 3. Capability inventory: 'find', 'shellcheck', 'patch', and 'curl' (via global instructions). 4. Sanitization: Absent; the skill does not sanitize script paths or content before processing.

ShellCheck