The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill uses 'npx k-skill-rhwp' to fetch and execute code from a public registry without a pinned version. This represents a risk where an attacker could compromise the package or perform a dependency confusion attack to execute malicious code in the agent's environment.
[COMMAND_EXECUTION]: The instructions direct the agent to execute shell commands such as 'mktemp' and 'chmod' to manage local temporary directories. While used here for security isolation (chmod 700), the general use of shell commands to process files increases the attack surface.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It ingests untrusted user data (e.g., business purposes, names, and addresses) and interpolates them directly into Markdown and HWP templates via placeholder syntax. This data is subsequently processed by a CLI tool, creating a path where malicious input could influence document content or tool behavior. Ingestion points: User-provided registration details via JSON or table input in SKILL.md. Boundary markers: Uses double curly braces as placeholders in template files. Capability inventory: Shell command execution, local file system write access, and execution of the external k-skill-rhwp tool. Sanitization: Instructions in SKILL.md guide the agent to use placeholders and mask sensitive data in logs, but no technical validation is performed on the inputs.
[DATA_EXFILTRATION]: The skill manages highly sensitive Personal Identifiable Information (PII), including full names, birthdates, and residential addresses required for legal forms. While the skill includes instructions to handle this data locally, the ingestion of such data into the AI agent context poses an inherent risk of exposure through session logging.

corporate-registration-consulting