The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is vulnerable to command injection on the remote jump host. The user-provided test prompt is directly interpolated into a bash command string (e.g., opencode run --dangerously-skip-permissions \"${FULL_PROMPT}\") executed via SSH. An attacker could provide a prompt containing shell metacharacters (such as backticks or semicolons) to execute arbitrary commands on the remote system.
[COMMAND_EXECUTION]: The skill uses the --dangerously-skip-permissions flag with the opencode run command. This flag explicitly disables application-level security filters and confirmation prompts, allowing the agent to perform sensitive actions on the remote host without user oversight.
[EXTERNAL_DOWNLOADS]: During the setup phase, the skill executes npx skills add panlm/skills -y on the remote host. This command downloads and installs external code from the vendor's repository to the remote environment.
[REMOTE_CODE_EXECUTION]: The core purpose of the skill is to orchestrate the execution of code (other agent skills) on a remote jump host via SSH, which constitutes a form of remote code execution.
[DATA_EXFILTRATION]: The skill uses scp to retrieve files (reports and logs) from the remote environment to the local machine. While this is part of its intended functionality, it establishes a mechanism for moving data across network boundaries.
[PROMPT_INJECTION]: The skill has an indirect prompt injection surface. In Step 7, it reads and analyzes remote execution logs (opencode-run.log) and markdown reports generated by the target skill. If a skill being tested is malicious or processes untrusted data, it could produce output containing instructions that the analysis logic might inadvertently follow.

remote-skill-test