The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill contains explicit instructions in Step 4 to override standard safety behavior. It directs the agent to 'execute commands directly without asking users to confirm' and specifically forbids the agent from asking for confirmation or environment variable verification. This is a direct attempt to bypass user-in-the-loop safety constraints.
REMOTE_CODE_EXECUTION (HIGH): The skill relies on npx -y mcp-to-skill, which downloads and executes arbitrary code from the npm registry at runtime. The package mcp-to-skill is not from a trusted organization or repository. The script exec-with-env.sh also enforces execution of this remote package.
CREDENTIALS_UNSAFE (MEDIUM): The script exec-with-env.sh is designed to resolve and inject environment variables (like API keys) into a temporary configuration file. If the generated JSON is invalid, the script executes cat "$TEMP_CONFIG" >&2, which would print plain-text secrets to the error log/agent output.
COMMAND_EXECUTION (MEDIUM): The skill performs several sensitive filesystem operations, including chmod +x to make scripts executable and creating symlinks in the .agents/skills/ directory.
INDIRECT_PROMPT_INJECTION (LOW): The skill processes untrusted MCP configurations from users and interpolates them into shell commands and scripts.
Ingestion points: Method A (conversation paste) and Method B (file path) in SKILL.md.
Boundary markers: None present; instructions are directly concatenated into a temp file.
Capability inventory: npx execution, cat, chmod, cp, and ln operations across SKILL.md and exec-with-env.sh.
Sanitization: Uses jq to validate JSON structure, but lacks sanitization for the environment variable expansion logic in the bash script.

mcp-to-skill