The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill facilitates the installation of dependencies from a target repository using commands like pip install -e . or pip install -r requirements.txt. This allows a target repository to execute arbitrary code on the host system during the installation process through setup.py scripts or malicious dependency specifications.
[COMMAND_EXECUTION]: The scripts/bootstrap_env.py and scripts/plan_setup.py scripts generate and execute shell commands to manage environments. Although commands are executed via list-based subprocess calls to avoid shell injection, the skill performs significant system-level operations.
[PROMPT_INJECTION]: The scripts/prepare_assets.py script parses README.md and configuration files from the target repository to extract setup hints. This data is returned to the agent without sanitization, creating an attack surface for indirect prompt injection where malicious instructions in a repository's documentation could influence the agent's behavior.
Ingestion points: scripts/prepare_assets.py reads README.md, README, and files in configs/ or config/ directories.
Boundary markers: The extracted strings are placed into a JSON manifest but lack explicit delimiters or instructions for the agent to ignore embedded instructions.
Capability inventory: The skill includes environment creation and dependency installation via subprocess.run in scripts/bootstrap_env.py.
Sanitization: No sanitization or filtering is performed on the extracted text beyond keyword matching.

env-and-assets-bootstrap