The Agent Skills Directory

[Unverifiable Dependencies & Remote Code Execution] (CRITICAL): The installation script extensions/chrome-tab-suspender/check-install.sh contains a dangerous piped-shell execution pattern: curl -LsSf https://astral.sh/uv/install.sh | sh. This executes code directly from an external URL without integrity verification or pinning, providing a direct vector for Remote Code Execution (RCE).
[Indirect Prompt Injection] (HIGH): The skill processes untrusted external data (process names, command-line arguments, and browser tab titles/URLs) and possesses high-privilege capabilities including process termination and file deletion.
Ingestion points: scripts/process_analyzer_uv.py (via psutil.process_iter), scripts/tab_suspender.py (via Chrome Native Messaging), and extensions/chrome-tab-suspender/background.js (via chrome.tabs.query).
Boundary markers: Entirely absent. The skill performs string matching against raw data without delimiters or instructions to ignore embedded commands.
Capability inventory: The skill uses subprocess.run, asyncio.create_subprocess_exec, pkill, and rm -rf (found in scripts/_archive/one-time/execute-cleanup.sh).
Sanitization: None. Data from the system or browser is used directly in logic decisions and diagnostic output, allowing an attacker to influence agent behavior by naming a process or a browser tab with malicious instructions.
[Privilege Escalation] (HIGH): The file SETUP-PASSWORDLESS-SUDO.md provides explicit instructions for the user to disable password prompts (NOPASSWD) in the sudoers file for several system binaries (purge, vm_stat, sysctl). This reduces the security posture of the operating system and can be leveraged by other malicious processes to perform privileged actions.
[External Downloads] (LOW): The skill performs downloads from astral.sh. While uv is a known utility, this domain is not included in the provided list of Trusted External Sources, and the download is used to facilitate the critical RCE finding mentioned above.

macos-resource-optimizer