The Agent Skills Directory

COMMAND_EXECUTION (MEDIUM): The skill frequently executes a local binary (./target/debug/forge) and uses cargo build. While typical for a development/debug skill, an attacker who can modify the local build environment or the source code could achieve arbitrary code execution when the agent follows these instructions.
DATA_EXFILTRATION (LOW): The skill uses curl (implied by the network-based purpose of the 'forge' application) and exports conversation data to HTML/JSON files. While the instructions don't show data being sent to an external attacker's server, the mechanism for dumping sensitive conversation state (conversation dump) could be misused to expose private information.
PROMPT_INJECTION (MEDIUM): Category 8 (Indirect Prompt Injection) risk is present because the skill is designed to process external 'conversations' (via --conversation or clone). If these external conversations contain hidden instructions, the agent might follow them while attempting to 'debug' or 'reproduce' the bug. No explicit sanitization or boundary markers are mentioned in the workflow.

debug-cli