The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The skill documentation includes a section for 'Maintenance' that specifies running a local Python script: python scripts/analyze_commands.py. If an agent is prompted to update the system or fix the index, it may attempt to execute this script or guide the user to execute it, which could lead to arbitrary code execution if the script is modified or contains vulnerabilities.
[DATA_EXFILTRATION] (MEDIUM): The skill design explicitly uses relative paths that traverse several levels up from the skill directory (e.g., ../../../commands/). While intended for reading documentation, this pattern allows the agent to access files far outside its own directory. If the command.json index or the search inputs are manipulated, an attacker could potentially expose sensitive system configuration or credential files using the Read and Grep tools.
[PROMPT_INJECTION] (LOW): This skill is vulnerable to Indirect Prompt Injection (Category 8) because it ingests and summarizes content from external markdown files and a JSON database.
Ingestion points: command.json and various .md files accessed via the source field.
Boundary markers: None detected; the skill does not use specific delimiters or instructions to ignore embedded commands in the documentation it reads.
Capability inventory: Read, Grep, Glob, AskUserQuestion tools are available to the agent.
Sanitization: There is no mention of sanitizing or validating the content of the documentation files before presenting them to the user or incorporating them into its logic.

ccw-help