The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The skill executes binaries located within potentially untrusted project directories.
Evidence: In scripts/detect_venv.sh, the detect_venv function iterates through common venv directory names (.venv, venv, .claude-venv, env, .env) and executes "$venv_name/bin/python" --version or "$venv_name/Scripts/python.exe" --version to determine the Python version.
Risk: An attacker-controlled repository can include a malicious shell script at .venv/bin/python. When the AI agent runs this skill to analyze the repository, it will execute the attacker's script with the same privileges as the agent.
COMMAND_EXECUTION (MEDIUM): The skill automatically executes system-level package managers based on the presence of specific files in the project.
Evidence: scripts/detect_package_manager.sh and scripts/utils.sh execute commands like uv, poetry, conda, pipenv, pdm, and pip (e.g., uv --version, pip list) if their respective lock files are found.
Risk: While these are standard tools, the execution is triggered by files within the analyzed project, which could lead to exploitation if the package managers themselves have vulnerabilities when handling malicious lock files.
INDIRECT_PROMPT_INJECTION (HIGH): The skill ingests untrusted data from the project (file paths and configuration content) and uses it to drive execution logic without sufficient isolation.
Ingestion points: File system structure (directory names) and content of requirements.txt, pyproject.toml, and lock files.
Boundary markers: None. The skill assumes the files and directory structures found in the project are benign.
Capability inventory: Execution of local binaries, execution of system package managers, and modification of .gitignore and memory files.
Sanitization: Minimal. While is_valid_package_name exists in scripts/utils.sh, it only validates string patterns and does not prevent the execution of malicious local binaries detected during venv discovery.

python-dependency-management