The Agent Skills Directory

[COMMAND_EXECUTION]: In references/infrastructure-patterns.md, the AgentSandbox and ImageBuilder classes use os.system and sandbox.exec to run shell commands that interpolate user-provided variables without sanitization. For example, git config user.name "{user_identity['name']}" is vulnerable to command injection if the user's name or repository URL contains shell metacharacters (e.g., backticks or semicolons).
[DATA_EXFILTRATION]: The skill manages sensitive credentials including GitHub App installation tokens and user OAuth tokens. These tokens are passed as part of shell command strings (e.g., in git clone URLs), which can expose them in process lists or logs and makes them accessible to exploitation via the identified command injection vulnerabilities.
[REMOTE_CODE_EXECUTION]: The skill facilitates the automated cloning and execution of remote code from GitHub repositories using npm install and npm run build. This pattern inherently allows for arbitrary remote code execution within the hosted sandbox environment whenever an agent processes a repository.
[PROMPT_INJECTION]: The skill's architecture is susceptible to indirect prompt injection. Ingestion points: Untrusted data enters the agent context via repository files (AgentSession.read_file) and Slack mentions (handle_mention). Boundary markers: No delimiters or instructions to ignore embedded commands are present in the provided templates. Capability inventory: The system provides the agent with powerful capabilities including os.system, sandbox.exec, and arbitrary file-system writes. Sanitization: The implementation patterns do not include logic for sanitizing or escaping external content before it is processed by the agent.

hosted-agents