The Agent Skills Directory

[COMMAND_EXECUTION]: The skill constructs and executes Bash commands using the '{name}' variable, which is directly derived from user input ($ARGUMENTS). This variable is inserted into the 'rm' command without sanitization, allowing for command injection if an attacker provides an argument containing shell metacharacters such as semicolons, pipes, or backticks (e.g., 'test; rm -rf /').\n- [COMMAND_EXECUTION]: The skill is susceptible to path traversal attacks. The '{name}' variable is used to build a file path, and without validation, a malicious user could provide relative path segments like '../../' to delete sensitive files outside the intended '.team-profiles/' directory.

team-delete