The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool to execute several shell operations including git, rsync, and npx. These commands directly incorporate variables derived from user input (such as <lab-repo>, <GITHUB_URL>, and <plugin-name>). This pattern creates a significant risk for command injection if the agent platform does not effectively escape shell metacharacters in these variables.
[DATA_EXFILTRATION]: The core functionality involves copying local plugin files (which may contain proprietary logic or sensitive prompts) to a remote GitHub repository. While this is the intended purpose, a user could provide a malicious URL to exfiltrate code to an unauthorized external server.
[PROMPT_INJECTION]: The skill facilitates an indirect prompt injection surface by generating an eval-instructions.md file. This file is created by interpolating user-provided strings into a template and is designed to be executed by an AI agent in a later session. Malicious input during the intake phase could be used to override the instructions for the downstream evaluation agent.
[COMMAND_EXECUTION]: The use of rsync -aL (resolve symlinks) means the skill could potentially copy files from outside the intended directory if symlinks are crafted maliciously within the plugin folder structure.

os-eval-lab-setup