The Agent Skills Directory

[Indirect Prompt Injection] (MEDIUM): The Python adapter templates provided in README.md and SKILL.md are vulnerable to path traversal. The get_target_path method uses the name field from a skill dictionary directly to construct a filesystem path without sanitization.
Evidence (README.md): skill_name = name or skill.get("name", "unknown") followed by return self.target_dir / skill_name / "SKILL.md". If an attacker-controlled skill provides a name like ../../.ssh/authorized_keys, the adapter would attempt to write to that path relative to the home directory.
Capability Inventory: The templates are designed to facilitate file-writing operations to sensitive locations like Path.home() and Path.cwd().
Sanitization: No sanitization or validation of the skill_name variable is present in the templates.
[Persistence Mechanisms] (LOW): The skill documentation describes how to write configuration and rules to global user directories (e.g., ~/.cursor/rules). While this is the intended purpose of the tool, it represents a sensitive capability that could be abused to maintain persistence if combined with malicious content.

ask-add-agent