The Agent Skills Directory

[COMMAND_EXECUTION]: In SKILL.md Step 2, the PROJECT variable is constructed using a <slug> extracted from the user's message. This value is used directly in shell commands (mkdir, cd) without sanitization, which allows an attacker to execute arbitrary commands on the host by injecting shell metacharacters like ;, &, or backticks.\n- [PROMPT_INJECTION]: The skill facilitates indirect prompt injection. Ingestion points: User-provided topic and key points are extracted in SKILL.md Step 1. Boundary markers: No delimiters or safety instructions are used in the brief template (references/brief-template.md). Capability inventory: The codex exec --full-auto command provides autonomous file and command execution, while message(send) enables file exfiltration. Sanitization: No validation or escaping is applied to user strings before they are interpolated into the brief.\n- [REMOTE_CODE_EXECUTION]: The use of codex exec --full-auto in SKILL.md Step 3 creates a high-risk environment where an autonomous sub-agent executes logic based on a file containing unsanitized user input. This allows an attacker to hijack the sub-agent's session to perform unauthorized operations.\n- [EXTERNAL_DOWNLOADS]: The skill installs the playwright package from the npm registry in SKILL.md Step 2. Playwright is a well-known automation library from a trusted organization (Microsoft).

carousel-orchestrator