The Agent Skills Directory

Remote Code Execution (CRITICAL): The setup guide in references/mcp-setup.md instructs users to install Homebrew by piping a remote script directly into bash (curl -fsSL ... | bash). This pattern allows the remote source to execute arbitrary commands with the user's privileges and is a primary vector for system compromise.
Remote Code Execution (HIGH): The skill is designed to run the octagon-mcp server using npx -y octagon-mcp@latest. This downloads and executes code from the npm registry every time the server is started. Since the source repository and package are not within the defined trusted organizations, this represents a significant supply chain risk.
Indirect Prompt Injection (HIGH):
Ingestion points: The skill retrieves and analyzes 10-K, 10-Q, and 8-K SEC filings from external web sources via the octagon-agent tool.
Boundary markers: None. There are no delimiters or instructions to ignore embedded prompts within the retrieved filings.
Capability inventory: The skill uses the octagon-agent tool to perform financial analysis and potentially make decisions based on the data.
Sanitization: No sanitization or filtering of the external filing content is mentioned, meaning malicious instructions embedded in a filing (e.g., in a text section) could influence the agent's behavior.
Command Execution (MEDIUM): Installation and configuration instructions (README.md, references/mcp-setup.md) suggest passing API keys via environment variables in plain-text commands (env OCTAGON_API_KEY=<your-api-key>). This can expose sensitive credentials in shell history or process monitoring tools.

sec-debt-covenant