The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill defines a 'Update Workflow' in SKILL.md that fetches README files from remote GitHub repositories and instructs the agent to refactor local SKILL.md and wrapper.py files.
Ingestion points: The agent fetches remote README content based on github_url metadata in scripts/scan_and_check.py.
Boundary markers: None. The agent is simply told to 'Refactor' based on the new content.
Capability inventory: The agent has the capability to write/overwrite SKILL.md and wrapper.py files (as described in Workflow 2).
Sanitization: None. The agent processes untrusted remote text and converts it into local code.
[Command Execution] (HIGH): The script scripts/delete_skill.py is vulnerable to path traversal. It uses os.path.join(root, skill_name) where skill_name is a command-line argument. On Windows, if an absolute path is provided as the second argument to join, it overrides the first, allowing the agent or a user to delete arbitrary directories (e.g., C:\Windows or C:\Users\<user>\Documents).
[Data Exposure] (LOW): Multiple scripts (delete_skill.py, list_skills.py, scan_and_check.py) contain hardcoded file paths (C:\Users\20515\.claude\skills). This exposes the host's specific username and directory structure.
[Command Execution] (MEDIUM): scripts/scan_and_check.py executes git ls-remote using URLs parsed from other skills' metadata. While it avoids shell execution by using a list of arguments, it still interacts with potentially malicious remote servers via the git protocol based on untrusted local metadata.

skill-manager