The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's workflow (Step 1 and Step 2 in SKILL.md) involves executing shell commands on user-provided binary names and running sample commands. This allows for the execution of arbitrary local binaries under the guise of an audit.
[EXTERNAL_DOWNLOADS]: The skill provides instructions to clone or fetch remote repositories from arbitrary GitHub URLs provided by the user to analyze their source code.
[REMOTE_CODE_EXECUTION]: The combination of cloning external repositories and executing 'sample commands' from those repositories (Step 2.6) creates a direct path for remote code execution if the audited tool or repository contains malicious logic.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from CLI outputs and external source code.
Ingestion points: Untrusted data enters the agent context through file reads of audited source code and capturing stdout/stderr from CLI tool executions (SKILL.md, Steps 1 and 2).
Boundary markers: The skill lacks any instructions to use delimiters or warnings to ignore embedded instructions within the processed data.
Capability inventory: The skill possesses powerful capabilities including shell command execution (run), file system modification (write in Step 5), and network access via git clone (Step 1).
Sanitization: There is no evidence of sanitization, escaping, or validation of the external content before it is used to determine scoring or code improvements.
[COMMAND_EXECUTION]: The 'Fix Gate' (Step 5) instructs the agent to apply modifications directly to source code. This capability could be abused by a malicious tool providing 'improvement' suggestions through indirect prompt injection that actually inject a backdoor into the local codebase.

cli-agent-experience