The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill creates a significant attack surface by instructing the agent to ingest and process untrusted external content and then use it to drive high-privilege operations.
Ingestion points: The skill reads CHANGELOG.md files from external URLs (e.g., via curl) and processes version data from package.json and package managers.
Boundary markers: There are no markers or instructions to ignore embedded commands within the ingested content.
Capability inventory: The agent is given access to npm install (code execution), npx (remote code execution), fs.writeFileSync (arbitrary file write), and git (state manipulation).
Sanitization: No sanitization or validation of the external content is suggested before it is used to determine which packages to install or which code migrations to perform.
[External Downloads] (MEDIUM): The skill heavily relies on downloading code from external registries using npm, yarn, and npx. While these are standard developer tools, the automated nature of the upgrade process increases the risk of installing malicious or compromised versions if the agent is misled by external data.
[Command Execution] (MEDIUM): The skill frequently executes shell commands to perform audits, analyze trees, and run migrations. If an attacker can influence the package names or transform paths through indirect injection, they could achieve arbitrary command execution on the host machine.

dependency-upgrade