The Agent Skills Directory

EXTERNAL_DOWNLOADS (MEDIUM): The script scripts/fetch_refound_skills.py performs network requests to refoundai.com (a non-whitelisted/untrusted domain) to download content. While it downloads Markdown/HTML rather than executables, this content is subsequently processed by the agent.
**PROMPT_INJECTION (HIGH
Indirect):** The skill is highly vulnerable to Indirect Prompt Injection (Category 8) because its core purpose is to ingest untrusted data (from the web or user input) and transform it into executable instructions.
Ingestion points: scripts/fetch_refound_skills.py (network) and scripts/extract_lenny_skill.py (local file read of untrusted content).
Boundary markers: While references/SECURITY_GUIDE.md acknowledges the risk, there are no technical enforcement mechanisms (like XML tags or strict delimiters) in the provided scripts to isolate untrusted data during processing.
Capability inventory: The skill possesses extensive file-system write capabilities (Path.write_text, os.mkdir in scripts/init_skillpack.py and scripts/batch_init_skillpacks.py) and command execution capabilities (subprocess.call in scripts/package_skillpack.py).
Sanitization: The skill uses yaml.safe_load and basic slugification for filenames, but lacks content sanitization to prevent malicious instructions in the source content from influencing the agent's output generation.
COMMAND_EXECUTION (MEDIUM): scripts/package_skillpack.py uses subprocess.call to execute the local Python interpreter. While it targets a specific local script (lint_skillpack.py), the pattern of spawning child processes on directories containing potentially malicious, newly-generated content increases the attack surface.
DATA_EXFILTRATION (LOW): scripts/fetch_refound_skills.py uses the requests library to connect to external sites. While currently used for downloading, this capability could be repurposed for exfiltration if the agent is manipulated via prompt injection.

lenny-skillpack-creator