The Agent Skills Directory

The skill skill-porter is designed to convert skill definitions between Claude Code and Gemini CLI formats. It processes various text-based configuration files (Markdown, JSON, TOML) and orchestrates file system operations.

HIGH Severity Findings:

Command Injection (src/cli.js, src/optional-features/fork-setup.js, src/optional-features/pr-generator.js): The skill extensively uses child_process.execSync to execute shell commands. Several instances pass user-controlled input directly or indirectly to these commands without robust sanitization against shell metacharacters, creating a significant command injection vulnerability:
- src/optional-features/fork-setup.js:
  - execSync(git clone ${repoUrl} ${forkPath}, ...): The repoUrl and forkPath variables are derived from user input (options.url, options.location). If these contain shell metacharacters (e.g., $(command), ;, &&), arbitrary commands could be executed. forkPath is path.resolve(options.location), which normalizes the path but does not prevent shell injection within the string itself.
  - execSync(cp -r "${source}" "${destination}", ...): While source and destination are quoted, sophisticated attackers might still find ways to inject commands, especially if the input itself contains quoted commands or newline characters.
- src/optional-features/pr-generator.js:
  - execSync(git push -u ${remote} ${this.branchName}, ...): The remote variable is user-controlled (options.remote). If it contains shell metacharacters, it could lead to arbitrary command execution.
- Other git and gh commands are generally safer due to fixed arguments or proper escaping of constructed strings (e.g., commit messages, PR titles/bodies).

LOW Severity Findings:

Unverifiable Dependencies (package.json, src/optional-features/pr-generator.js):
- The skill's direct Node.js dependencies (js-yaml, commander, chalk) are reputable and widely used. However, the PRGenerator feature explicitly relies on the gh (GitHub CLI) executable being installed and authenticated on the user's system. While gh is a trusted tool, the skill does not manage its installation, making it an external, unverified binary dependency from the perspective of the skill's own package management. The skill does check for its presence and authentication status.
Tool Restriction Incompleteness (src/converters/claude-to-gemini.js, src/converters/gemini-to-claude.js): The conversion logic for allowed-tools and excludeTools relies on a hardcoded list of allTools. If new tools are introduced to either Claude Code or Gemini CLI platforms, this list could become outdated. This might lead to converted skills having unintended permissions (either granting more access than intended by not excluding a new dangerous tool, or restricting too much by not allowing a new benign tool).

INFO Severity Findings:

Indirect Prompt Injection (General): As a skill conversion tool, skill-porter processes and generates skill definitions. If a source skill contains malicious prompt injection attempts, the converted skill will likely propagate these attempts into its output. The skill itself is not directly vulnerable to prompt injection in its own execution, but it acts as a conduit for such content. Users should be aware that converting a malicious skill will result in another malicious skill.

No issues were found related to: Obfuscation (beyond standard encoding), Privilege Escalation (operations are user-level), Persistence Mechanisms (beyond intended skill installation), or Time-Delayed / Conditional Attacks.