The Agent Skills Directory

[PROMPT_INJECTION]: The skill contains instructions to generate a security_override.json file specifically to bypass "deterministic security Phase 5 P0 checks". This manifest explicitly whitelists restricted capabilities such as subprocess.run, requests, and urllib, which instructs the agent to intentionally lower the security posture of the newly created skill.
[COMMAND_EXECUTION]: The workflow executes a local Python script scripts/scaffold.py using arguments derived directly from user input (name, path, and description). The SKILL.md does not provide the agent with instructions to sanitize or validate these strings before passing them to the shell, creating a significant command injection surface. The author acknowledges this risk in evals/evals.json (eval-4), but mitigation logic is absent from the skill instructions themselves.
[DYNAMIC_EXECUTION]: The skill's primary function is the automated generation of executable scripts (e.g., check_environment.py) and security manifests. The creation of such artifacts based on user-controlled input can lead to the deployment of malicious or vulnerable code if the generation logic is manipulated.
[EXTERNAL_DOWNLOADS]: The skill documentation identifies that generated workloads may fetch data or models from external sources such as HuggingFace, NCBI, or Docker Hub. While these are well-known services, the instruction to whitelist network tools (requests, urllib) for these purposes facilitates the potential for data exfiltration if the network scope is not strictly constrained.

create-docker-skill