The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The add_skill.py script downloads content from raw.githubusercontent.com and interacts with the api.github.com API. While GitHub is a well-known service, the files retrieved are arbitrary scripts and markdown files from repositories specified by user input or search results.
[REMOTE_CODE_EXECUTION]: The skill's primary function is to download executable code from remote sources and store it locally for future execution. It retrieves Python scripts and other assets from GitHub and places them into the local environment.
[COMMAND_EXECUTION]: The add_skill.py script performs significant file system operations, including creating directories and writing downloaded binary and text data to the skills/ directory. It also communicates with a local service at localhost:62610 to register these scripts.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and installs SKILL.md files from external repositories. These files contain instructions that influence the agent's future behavior.
Ingestion points: find_skills.py (API responses from skills.sh) and add_skill.py (file contents from GitHub repos).
Boundary markers: No markers are used to encapsulate or delimit the external instructions from the core system prompt during the installation process.
Capability inventory: The skill possesses file-writing capabilities and local network access, and it installs new tools that will have their own command execution capabilities.
Sanitization: While the script filters some compiled file types (e.g., .exe, .so), it does not validate or sanitize the logic within the scripts or the instructional content in the markdown files.

skill-finder