The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The scripts fetch-docs.sh and fetch-raw.sh interpolate user-controlled variables like $LIBRARY_NAME and $TOPIC directly into shell command strings within double quotes. An attacker can inject shell commands using syntax like $(command) or backticks, which the shell evaluates before passing them to the underlying tools.
[EXTERNAL_DOWNLOADS] (HIGH): The skill relies on npx -y @upstash/context7-mcp for its core functionality. This pattern downloads and executes code from the npm registry at runtime from the @upstash organization, which is not in the defined trust scope for this environment.
[REMOTE_CODE_EXECUTION] (HIGH): The combination of shell injection and runtime package execution provides a direct path for executing arbitrary code on the host system via crafted user queries.
[INDIRECT_PROMPT_INJECTION] (HIGH): The skill is designed to ingest and process documentation from external, untrusted sources. 1. Ingestion point: fetch-docs.sh (line 125) via fetch-raw.sh. 2. Boundary markers: Absent. 3. Capability inventory: Subprocess execution, command execution, and network access. 4. Sanitization: None. External content is parsed only for structural elements (code blocks/notes) and passed directly to the LLM context, allowing for malicious instructions to be embedded in documentation.
[PRIVILEGE_ESCALATION] (MEDIUM): Verification scripts and documentation suggest using chmod +x on the provided shell scripts. While common for development, this facilitates the execution of scripts that are vulnerable to the aforementioned injection attacks.

fetching-library-docs