The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts/main.cjs file uses child_process.execSync to invoke the ripgrep (rg) utility by concatenating strings that include filenames and directory paths without proper sanitization.
Evidence: In scripts/main.cjs, the command is constructed as: const cmd = \rg -lF "${nameWithoutExt}" ${sDirsCmdStr}`;wherenameWithoutExt` is derived from filenames on the local disk.
Vulnerability: If a file exists in the scanned directory with a name containing shell metacharacters (such as backticks or $(...)), the shell will execute those sequences when the skill runs.
[COMMAND_EXECUTION]: Input parameters for directory searching are interpolated into shell commands in a way that allows for command injection.
Evidence: The function searchStr in scripts/main.cjs wraps directory paths in double quotes: dirs.map(d => \"${d}"`)`.
Vulnerability: Standard shells (like bash or sh) still evaluate command substitutions inside double quotes. A malicious path provided in the searchDirs argument could lead to arbitrary code execution.
[REMOTE_CODE_EXECUTION]: The command injection surfaces in the script allow for the execution of arbitrary system commands, which can be leveraged to download and run remote payloads.
[PROMPT_INJECTION]: The skill's instructions include an "Iron Law" claiming it is "verified: true", which is a self-authoritative claim intended to bypass user or agent scrutiny regarding its safety.

stale-module-pruner