The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): The 'references/TOOLS.md' file includes an example 'calculate' tool that uses Python's 'eval()' function on an 'expression' string. Since this string is provided by the AI agent (often directly from untrusted user input), this pattern allows for arbitrary code execution in the host environment. The provided warning comment is insufficient to mitigate the risk of a user copy-pasting the vulnerable example.
[EXTERNAL_DOWNLOADS] (MEDIUM): The 'references/MCP.md' file promotes the use of 'npx -y' to fetch and execute MCP servers from the npm registry (e.g., '@modelcontextprotocol/server-filesystem'). This results in dynamic code execution from an external repository at runtime without integrity verification.
[COMMAND_EXECUTION] (MEDIUM): The MCP configuration ('MCPServerConfig') allows the skill to spawn arbitrary subprocesses and run Docker containers. If an attacker successfully influences the agent's reasoning, they could potentially execute malicious commands or configure a malicious MCP server.
[PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) as it lacks sanitization and boundary markers for external data.
Ingestion points: The skill ingests untrusted data via 'agent.process(user_input)' in 'SKILL.md' and through tools like 'fetch_url(url)' in 'references/TOOLS.md'.
Boundary markers: There are no explicit instructions or delimiters shown in the examples to prevent the LLM from obeying instructions embedded in external data.
Capability inventory: The skill features dangerous capabilities including 'eval()' execution in 'references/TOOLS.md' and subprocess execution ('npx', 'docker') via MCP configs in 'references/MCP.md'.
Sanitization: No input sanitization or validation of tool inputs is demonstrated in the core examples.

opper-python-agents