The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is designed to ingest untrusted data from multiple sources, including feature specifications, PR descriptions, and external websites via the browser_subagent. There are no instructions for sanitizing this input or using boundary markers (e.g., XML tags). A malicious actor could provide a PR comment or a 'test' URL containing instructions that override the agent's logic to execute arbitrary shell commands.
[Command Execution] (HIGH): The skill utilizes the run_command tool to execute test suites and automation scripts. Because the agent is encouraged to 'automate' and 'write scripts' (Playwright, Jest, k6) based on untrusted input, it may generate and execute malicious code on the host system if influenced by an injection attack.
[Data Exfiltration] (MEDIUM): In references/ci_test_runner_protocol.md, the skill is instructed to upload 'traces' and 'videos' to external storage (S3/GitHub Artifacts). This workflow provides a plausible pathway for an attacker to exfiltrate sensitive environment variables, source code, or configuration files by masquerading them as test artifacts.
[Dynamic Execution] (MEDIUM): The skill explicitly generates and executes code at runtime (writing test files with write_file and executing them via run_command). While intended for QA, this pattern increases the attack surface when the generated code incorporates logic derived from external, untrusted descriptions.

resonance-qa