The Agent Skills Directory

Dynamic Execution (HIGH): Vulnerable shell command construction using xargs and sh -c.\n
Evidence: The automated check command: grep -rn "onApplicationBootstrap" --include="*plugin.ts" | xargs -I{} sh -c 'grep -L "onApplicationShutdown" {} 2>/dev/null' in SKILL.md.\n
Description: The placeholder {} is replaced by the output of grep -rn, which includes file paths and the content of matching lines. If a file path or the content contains single quotes or shell metacharacters (e.g., ;, $(), or `), it can break out of the sh -c command string and execute arbitrary commands on the host system. This is a classic command injection vector when processing untrusted code.\n- Indirect Prompt Injection (LOW): The skill is designed to ingest and process untrusted external data (source code).\n
Ingestion points: Uses find and grep to read and display content from all .ts, .service.ts, and .entity.ts files discovered in the working directory.\n
Boundary markers: Absent; the skill does not use delimiters or clear instructions to the agent to ignore embedded instructions within the source code files it processes.\n
Capability inventory: Limited to local read-only shell utilities (find, grep, xargs). No file-write, network exfiltration, or persistence capabilities were identified in the skill scripts.\n
Sanitization: None; the skill performs raw text searching on file contents without any validation, filtering, or escaping of the ingested data.

vendure-plugin-reviewing