The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): The skill contains literal templates for downloading and executing scripts directly from the internet via a shell pipe.
Evidence: Multiple instances of curl -sSL https://example.com/install.sh | bash are found in SKILL.md under sections such as 'Hero Section', 'Quick Start', and 'Installation'.
Risk: This is a classic RCE vector. While intended as a template, an automated agent might attempt to execute this command to 'test' the documentation it generated, or a developer might copy-paste it without updating the URL, leading to the execution of untrusted code from an unverified domain.
[COMMAND_EXECUTION] (MEDIUM): The skill provides instructions for sensitive command-line operations.
Evidence: Templates in SKILL.md and references/section-templates.md include chmod +x install.sh, apt install, brew install, and mytool init.
Risk: These commands modify system state or permissions. If generated and executed without human oversight, they can lead to unauthorized system changes.
[PROMPT_INJECTION] (LOW): The skill is designed to ingest and process untrusted external data in the form of existing project documentation.
Ingestion points: The skill description states it is for 'improving existing docs', meaning it reads existing user-provided README files and project documentation.
Boundary markers: Absent. The skill does not provide instructions to the agent to ignore instructions embedded within the documentation it is processing.
Capability inventory: Based on the provided files, the skill's capability is limited to generating documentation text (display/output only).
Sanitization: Absent. There is no evidence of filtering or escaping malicious instructions found in the source documentation.
Risk: A malicious project could include documentation containing 'Indirect Prompt Injection' designed to hijack the agent's behavior during the README generation process.

readme-craft