The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill is highly susceptible to indirect prompt injection. It treats the entire conversation history as a trusted source for generating new agent capabilities.
Ingestion points: Current session context and conversation history (SKILL.md, Step 1).
Boundary markers: Absent. The instructions provide no delimiters or warnings to ignore malicious commands embedded in the processed history.
Capability inventory: File system writing (Write), modification of file permissions (chmod +x), and arbitrary code generation.
Sanitization: Absent. Success/failure data from the context is directly interpolated into new scripts and markdown files.
[REMOTE_CODE_EXECUTION] (HIGH): The skill's primary function is to generate and prepare new executable code at runtime based on untrusted inputs.
Evidence: Step 3 and Step 5 explicitly instruct the agent to generate Python or JavaScript files and then use chmod +x to make them executable. This creates a persistent RCE vector if the source context contains malicious logic.
[EXTERNAL_DOWNLOADS] (MEDIUM): The skill promotes the use of the uv script format for Python, which automatically resolves and downloads dependencies from external registries at runtime.
Evidence: Step 3 includes a dependencies block in the Python template, which the agent is encouraged to populate with arbitrary packages like 'requests' or 'ffmpeg'.
[COMMAND_EXECUTION] (MEDIUM): The skill uses shell commands to modify the environment and prepare generated scripts.
Evidence: Step 5 requires the execution of chmod +x on dynamically created files.

skill-extractor