The Agent Skills Directory

[Privilege Escalation] (HIGH): The skill documentation suggests that the agent use sudo caddy start if port 80 is denied. Encouraging or executing commands with superuser privileges increases the attack surface significantly.
[Indirect Prompt Injection] (MEDIUM): The skill handles untrusted data from the user and the local environment to configure the proxy service. * Ingestion points: User-defined names and the current directory name ($PWD) via the basename command. * Boundary markers: None. * Capability inventory: Shell command execution (curl, lsof, sed, xxd) and interaction with the Caddy Admin API (localhost:2019). * Sanitization: Although the provided script template includes a regex-based sanitization step for directory names (sed 's/[^a-z0-9]/-/g'), there are no explicit constraints or sanitization logic defined for user-provided names. These could be crafted to inject malicious JSON properties into the Caddy configuration payload or potentially break out of shell command strings if interpolated unsafely by the agent.
[Command Execution] (LOW): The skill relies on several local CLI tools (brew, lsof, curl) to manage the system state. While appropriate for the skill's stated purpose, these tools represent a capability surface that can be abused if input handling is flawed.

caddy