The Agent Skills Directory

[COMMAND_EXECUTION]: The instruction to use find "$PROJECT_ROOT/plugins" -name "SKILL.md" | grep "$ARGUMENTS" is a command injection risk. If the $ARGUMENTS variable contains shell metacharacters (e.g., ;, &&, or backticks), it could allow for the execution of arbitrary commands beyond the intended search.
[COMMAND_EXECUTION]: The skill uses a Python script (update_ranked_skills.py) which accepts a shell command as a string argument (--evaluator-command). This pattern of passing executable strings to scripts increases the risk of unintended code execution.
[PROMPT_INJECTION]: The skill's documentation and templates (e.g., in references/program.md) include a 'NEVER STOP' directive. This is an instruction for the agent to bypass standard task completion boundaries and enter an infinite loop, which can lead to resource exhaustion and reduced human oversight.
[REMOTE_CODE_EXECUTION]: The workflow involves the agent dynamically generating a script (evaluate.py) and then executing it as part of an autonomous loop. This allows the agent to create and run arbitrary code at runtime, which is a high-risk capability.
[PROMPT_INJECTION]: The skill processes content from other SKILL.md files within the repository, creating a surface for indirect prompt injection. 1. Ingestion points: Reads instructions and metadata from other plugin files via Step 1 and Step 2. 2. Boundary markers: Absent; the agent is simply told to read the files fully. 3. Capability inventory: The skill has access to bash, file writing, and python execution. 4. Sanitization: Content from the files being evaluated is not sanitized or escaped before being used to drive agent reasoning and scoring.

eval-autoresearch-fit