The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill processes untrusted user data (business requirements) to generate executable code and plugin architectures. This creates an attack surface where a malicious user could provide requirements designed to trick the agent into generating insecure or malicious plugins.
Ingestion points: User input for business requirements and plugin descriptions in README.md workflows.
Boundary markers: Absent in the template files; the skill relies on the agent's interpretation of the requirements.
Capability inventory: The generated plugins (MCP servers) have the capability to execute system commands and perform network operations.
Sanitization: The helper scripts (init_plugin.py) perform no sanitization of user-provided names or descriptions used in the generated files.
Dynamic Execution (LOW): The skill utilizes scripts to generate new executable files from templates. While this is the intended functionality of a scaffolding tool, it involves creating source code (.py, .ts, .md) that is subsequently executed by the user or the agent.
Evidence: scripts/init_plugin.py uses shutil.copytree to create plugin directories from the assets/templates/ folder.
Command Execution (SAFE): The developer scripts include functionality to execute local validation logic. This is standard for development automation and does not involve risky remote execution or shell injection patterns.
Evidence: scripts/package_plugin.py uses subprocess.run to call validate_plugin.py for plugin quality checks.

plugin-creator