The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill is designed to facilitate local Python code execution with powerful APIs (fs, code, transform, git). While intended for 'bulk operations', this capability allows for arbitrary system commands and file modifications if the agent is manipulated by untrusted data.
[EXTERNAL_DOWNLOADS] (HIGH): The SKILL.md file instructs the user to run a setup script from an unverified path: ~/.claude/plugins/marketplaces/mhattingpete-claude-skills/execution-runtime/setup.sh. This pattern represents a high-risk installation vector from a non-trusted source (the user's own home directory or a third-party repository).
[PROMPT_INJECTION] (HIGH): The skill documentation uses authoritative markers to override normal agent behavior, such as 'IMPORTANT' (implied by the bulk operation trigger) and specific instructions to bypass standard file-reading protocols to save tokens.
[DATA_EXPOSURE] (MEDIUM): Although the documentation emphasizes 'metadata only', the provided APIs (fs.copy_lines, fs.read_file) allow for the full reading of source code, and the git API allows for git_push operations, creating a path for exfiltration of sensitive codebase data.
[INDIRECT_PROMPT_INJECTION] (HIGH): The skill specifically targets the processing of 'bulk operations' and 'complex workflows' involving large numbers of files.
Ingestion points: Processes any local project file via Path('.').glob('**/*.py') and fs.read_file.
Boundary markers: None detected in the provided examples; file content is processed directly.
Capability inventory: Full Python exec/eval environment, filesystem write (paste_code, write_file), and network-capable operations via git_push.
Sanitization: None provided. The skill is highly vulnerable to malicious instructions embedded within the codebase it is asked to 'audit' or 'refactor'.

code-execution