The Agent Skills Directory

[Remote Code Execution] (CRITICAL): The skill directs the agent to execute npm install and npm run start within a repository cloned from github.com/modelcontextprotocol/ext-apps. As the repository organization is not on the trusted list, this enables arbitrary code execution from an untrusted source via package scripts.\n- [External Downloads] (HIGH): The skill uses git clone to download external code to the /tmp directory without verifying the integrity or origin of the code.\n- [Indirect Prompt Injection] (HIGH): The skill directs the agent to read external files with significant execution capabilities. Ingestion points: /tmp/mcp-ext-apps/docs/ and /tmp/mcp-ext-apps/src/. Boundary markers: None provided to separate external content from instructions. Capability inventory: npm install, npm run build, npm run start, git clone. Sanitization: None detected. This surface allows an attacker to control agent behavior via malicious documentation or source code comments.\n- [Command Execution] (MEDIUM): The use of shell command substitution $(npm view ...) to determine version tags is a vector for command injection if the registry metadata or the package name is compromised.

migrate-oai-app