The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): Flawed shell command sanitization. In templates/llm-action.md, the escapePrompt function only attempts to escape double quotes and dollar signs. It fails to handle command substitution characters like backticks (`), meaning a prompt containing a subshell command will be evaluated by the host shell during the Bash call. Additionally, in specs/scripting-integration.md, the ExecuteScript implementation builds command arguments by simply wrapping values in double quotes. This is vulnerable to breakout sequences (e.g., using "; [malicious command] #) which would result in arbitrary code execution on the host system.
[REMOTE_CODE_EXECUTION] (HIGH): Orchestrated execution of generated scripts. The skill is designed to generate Bash and Python scripts based on user-provided templates and then execute them using the Bash tool. Because the generation process interpolates potentially untrusted user input into executable code blocks without rigorous validation or sandboxing, it creates a direct path for Remote Code Execution (RCE).
[DATA_EXFILTRATION] (MEDIUM): Exposure of project data via command injection. The skill utilizes Read, Glob, and Grep to access project source code and configuration files (e.g., package.json). Combined with the identified command injection vulnerabilities, an attacker could easily exfiltrate sensitive environment variables, credentials, or source code to an external endpoint using utilities like curl or wget within the injected command context.
[INDIRECT_PROMPT_INJECTION] (LOW): Vulnerable ingestion surface. The skill generates components that process external data (e.g., code analysis). If the target data contains malicious instructions designed to exploit the weak escaping logic in the generated llm-action calls, it could lead to automated compromise of the agent's execution environment.

skill-generator