The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's platform detection logic in Step 0 utilizes a bash script that interpolates directory names directly into a find command: ui_files=$(find {platform.path} ... ). Because these names are retrieved directly from the filesystem via ls and are not sanitized or escaped, a folder name containing shell metacharacters (e.g., '; touch /tmp/pwned; ') would result in arbitrary command execution on the host machine when the agent executes the detection process.
[REMOTE_CODE_EXECUTION]: The command injection vulnerability in the directory scanning logic allows for remote code execution. An attacker who can influence the folder structure of a repository being audited by this skill can execute arbitrary code within the agent's execution environment.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core functionality of reading and summarizing untrusted codebase content.
Ingestion points: The skill reads file content, tokens, and components using Read, Glob, and Grep across the entire target repository in Steps 1 through 7.
Boundary markers: Although a template is used, there are no explicit boundary markers or instructions to the model to ignore instructions embedded within the code snippets it processes.
Capability inventory: The skill has broad write permissions to $JAAN_OUTPUTS_DIR and sensitive edit permissions for jaan-to/config/settings.yaml and files within $JAAN_CONTEXT_DIR.
Sanitization: No sanitization or filtering logic is present to handle malicious instructions or deceptive content found within the audited files before they are included in summaries or analyzed by the model.

detect-design