The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts/ckpt.sh script is vulnerable to shell command injection. It uses an unquoted heredoc (<< JSON) to generate checkpoint files, which causes the shell to evaluate command substitution patterns (e.g., $(...) or backticks) within the $SAFE_MESSAGE, $SAFE_BRANCH, and $SAFE_RECENT_COMMITS variables at runtime. These variables are derived from user input or git metadata.
[COMMAND_EXECUTION]: The scripts/dashboard.sh script is vulnerable to command injection when parsing checkpoints. It extracts the timestamp field using grep and sed and interpolates it directly into a python3 -c command string, allowing for arbitrary code execution if the checkpoint file contains a malicious payload.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. It ingests untrusted data from git branch names, filenames, and commit messages (ingestion points) and stores them in JSON files (boundary). The skill possesses the capability to execute shell commands and file writes (capability inventory). While a json_escape function is present (sanitization), it fails to escape characters that trigger shell expansion, allowing metadata from external repositories to influence script execution.

contextkeeper