The Agent Skills Directory

EXTERNAL_DOWNLOADS (HIGH): The skill performs unpinned runtime downloads of Node.js packages. Evidence: In scripts/gitmcp.py, the functions list_tools and call_tool execute npx -y mcp-remote. This command downloads the mcp-remote package from the npm registry at execution time if not cached. Impact: This introduces a supply chain risk where a compromised npm package could execute arbitrary code on the host system.
REMOTE_CODE_EXECUTION (HIGH): The skill connects to and executes logic from remote, untrusted servers. Evidence: The npx -y mcp-remote [url] command establishes a connection to a remote Model Context Protocol (MCP) server at a URL derived from user/agent input (e.g., gitmcp.io). Impact: If the remote server is malicious, it could exploit vulnerabilities in the client or provide malicious tool definitions that lead to further exploitation.
**PROMPT_INJECTION (Indirect
HIGH):** The skill is highly vulnerable to Indirect Prompt Injection because its primary function is to ingest untrusted data from external repositories. 1. Ingestion Points: scripts/gitmcp.py retrieves content from external repositories via fetch-docs, search-docs, and search-code. 2. Boundary Markers: Absent. 3. Capability Inventory: The script uses subprocess.Popen. If the agent using this skill has other capabilities (like file manipulation), the risk is critical. 4. Sanitization: Absent. The script directly prints retrieved text to stdout for the agent to consume without filtering.
COMMAND_EXECUTION (MEDIUM): The skill relies on executing shell commands with arguments derived from potentially untrusted input. Evidence: subprocess.Popen(["npx", ...]) uses the repo argument provided to the script. Impact: While the conversion logic provides some normalization, using subprocess to run dynamic commands is a high-risk practice.

read-github