The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes a Node.js script via a Bash command that interpolates a JSON string directly into the shell arguments without prior sanitization. If the input data (collected from the project being analyzed) contains malicious characters such as single quotes, an attacker could potentially break out of the intended command and execute arbitrary shell commands. \n
Evidence: The execution pattern node scripts/config-exposes-check.js --context '<MFContext-JSON>' in SKILL.md is susceptible to command injection via the <MFContext-JSON> placeholder.\n- [DATA_EXFILTRATION]: The configuration script uses file system checks on paths derived directly from project configuration values. Because these paths are not validated or sanitized, they are vulnerable to directory traversal attacks, allowing an attacker to confirm the existence of sensitive files (e.g., SSH keys, environment files) anywhere on the system the agent has access to.\n
Evidence: In scripts/config-exposes-check.js, the code const full = path.join(projectRoot, rel); if (!fs.existsSync(full)) resolves arbitrary relative paths provided in the exposes configuration.\n- [PROMPT_INJECTION]: The skill processes untrusted project data, creating a surface for indirect prompt injection. A malicious repository could provide crafted configuration files that, when processed by this skill, trigger the aforementioned command execution or file probing behaviors.\n
Ingestion points: Data entering the system via the mf-context skill which reads local project files like package.json or bundler configs.\n
Boundary markers: The use of single quotes in the shell command is insufficient for securing interpolated JSON data.\n
Capability inventory: The skill has permissions to execute node via Bash, read files, and resolve glob patterns.\n
Sanitization: No evidence of input validation or escaping for the MFContext data before its use in shell commands or path resolution.

mf-config-check