The Agent Skills Directory

Unverifiable Dependencies & Remote Code Execution (HIGH): The skill employs a 'curl | bash' pattern to install its primary dependency. Findings: curl -fsSL https://rclone.org/install.sh | sudo bash in SKILL.md and scripts/setup.sh. This pattern is highly insecure as it executes untrusted remote code from a non-whitelisted source.
Privilege Escalation (HIGH): The installation script explicitly requests and uses sudo to execute the downloaded script, granting it full system access. Evidence: Use of sudo bash in scripts/setup.sh.
Data Exposure & Exfiltration (HIGH): The skill handles sensitive R2 credentials and stores them in plain text. Evidence: scripts/show-creds.sh and storage in ~/.config/rclone/rclone.conf. While no active exfiltration was detected, the exposure risk is high if the environment is compromised or the agent is prompted to show credentials.
Indirect Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection via the data it processes. 1. Ingestion points: Reads from R2 buckets via scripts/list.sh and scripts/download.sh. 2. Boundary markers: Absent. 3. Capability inventory: Shell execution, file system access, and network operations via rclone. 4. Sanitization: Absent; user-controlled variables are quoted but not filtered for malicious prompt instructions.

r2