The Agent Skills Directory

[Command Execution] (HIGH): The 'client-side tool execution' examples demonstrate running arbitrary shell commands derived from agent tool calls. This is performed using dangerous sinks that can lead to full system compromise.
Evidence: subprocess.run(command, shell=True) in examples/python/13_client_side_tools.py.
Evidence: execSync(command) in examples/typescript/13_client_side_tools.ts.
[Indirect Prompt Injection] (LOW): The framework provides a large attack surface for indirect injection by allowing agents to ingest data from external documents and archival memory. The lack of documented sanitization or boundary markers increases the risk that an attacker-controlled document could trigger the aforementioned command execution tools.
Ingestion points: 08_archival_memory.py (archival memory passages), agent-files.md (folder/file uploads).
Boundary markers: Absent; no instructions provided to delimit or ignore instructions within external data.
Capability inventory: subprocess.run, execSync, requests.get, and file system access via the Folders API.
Sanitization: Absent; commands are executed directly from tool arguments without validation.
[Data Exposure & Exfiltration] (MEDIUM): Examples demonstrate how to retrieve environment variables (secrets) and use network libraries to send data to external endpoints.
Evidence: 04_custom_tool_secrets.py shows how to use os.getenv for API keys and requests.get to communicate with external APIs.
[Dynamic Execution] (MEDIUM): The SDK's primary mechanism for tool creation involves sending Python source code as strings to be executed in a server-side sandbox.
Evidence: 08_custom_tool.ts and 11_client_injection.py utilize the source_code field to define and register new tools at runtime.

letta-api-client