The Agent Skills Directory

COMMAND_EXECUTION (HIGH): Unsafe shell command construction is present in multiple files. In phases/actions/action-init.md, the variable skillPath (obtained directly from user input via AskUserQuestion) is interpolated into a Bash() call: Bash("cp -r \"${skillPath}\"/* \"${backupDir}/\""). A malicious user providing a path with shell metacharacters (e.g., \"; touch /tmp/pwned; #\") could execute arbitrary commands. \n- COMMAND_EXECUTION (HIGH): The skill is vulnerable to command injection through target skill metadata. In phases/actions/action-abort.md, the restoration command Bash("cp -r \"${state.backup_dir}/${targetSkill.name}-backup\"/* \"${targetSkill.path}/\"") uses targetSkill.name, which is read from the SKILL.md file of the skill being tuned. A malicious skill can exploit this by including shell commands in its name field. \n- REMOTE_CODE_EXECUTION (HIGH): The file phases/actions/action-gemini-analysis.md executes a CLI tool (ccw cli) with a prompt derived from state.user_issue_description. The escapeForShell utility function only escapes double quotes, dollar signs, and backticks, failing to handle other shell metacharacters like semicolons, pipes, or ampersands. Furthermore, the state.target_skill.path variable used in the same command is not escaped at all. \n- DATA_EXFILTRATION (SAFE): No evidence of unauthorized data transmission was found. The skill accesses local files as part of its primary tuning and diagnosis purpose, and network activity is limited to the expected external analysis tool.

skill-tuning