The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill is designed to install and execute code from external, unverified sources.
The npx skills add command downloads and installs content from any GitHub repository or the community repository at skills.sh into the user's environment.
The use of npx dynamically executes the skills CLI package, which is pulled from the npm registry.
[COMMAND_EXECUTION]: The skill documentation encourages the use of high-risk commands and administrative privileges.
The files references/cmd-add.md and references/cmd-remove.md explicitly suggest using sudo to bypass permission issues during skill management.
It recommends using chmod 755 to modify permissions on the ~/.agents/skills directory, which is a sensitive user-level path.
Example workflows include destructive commands such as rm -rf for manual directory deletion.
[EXTERNAL_DOWNLOADS]: The skill communicates with external domains to fetch both data and executable content.
It searches for and retrieves metadata from the https://skills.sh/ domain.
It downloads repository contents and configurations from https://github.com/ based on user input or search results.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to the processing of untrusted community content.
Ingestion points: Metadata such as skill names and descriptions are fetched from npx skills find and the skills.sh API.
Boundary markers: The skill does not define clear boundaries or instructions to ignore embedded instructions within the fetched metadata.
Capability inventory: The skill possesses powerful capabilities including shell command execution (RunCommand), file reading (Read), and destructive file operations (rm -rf).
Sanitization: There is no evidence of sanitization or validation of the external content before it is parsed and presented to the agent's context.

skill-finder