The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to execute multiple shell commands that include user-supplied URL strings without explicit sanitization. Examples include git clone <url>, python yt/cli.py -t "<url>", and python scraping_orchestrator.py <url>. If these URLs contain shell metacharacters (e.g., ;, &&, |), an attacker could achieve arbitrary command execution on the host system.
[EXTERNAL_DOWNLOADS]: The skill is designed to fetch content from any user-provided URL, including cloning entire repositories, downloading video transcripts, and scraping web articles. This introduces untrusted data into the local environment (~/lev/workshop/intake/).
[REMOTE_CODE_EXECUTION]: The skill facilitates the download and installation of 'skill packages' from the skills.sh marketplace or arbitrary URLs. While it delegates the lifecycle to a skill-builder component, the act of cloning and resolving external skills into the agent's active skill directories (~/.agents/skills-db/) represents a significant remote code execution and persistence risk.
[PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection because its primary purpose is to ingest and 'analyze' content from external, untrusted sources.
Ingestion points: Content is pulled from GitHub repositories, YouTube transcripts, and web scrapers (SKILL.md).
Boundary markers: There are no defined boundary markers or instructions to ignore embedded commands within the fetched content.
Capability inventory: The skill possesses extensive capabilities, including shell execution (git), Python script execution, and file system modification (cloning/resolving skills).
Sanitization: No sanitization or validation of the downloaded content is performed before the agent is instructed to 'FOLLOW: The complete analysis framework loaded from that file' in Phase 2.

lev-intake