The Agent Skills Directory

[COMMAND_EXECUTION]: Command injection vulnerability in the SKILL.md instructions. The agent is directed to use user-provided placeholders like '[topic-name]' directly in shell commands (e.g., 'mkdir -p temp/red-team-review-[topic-name]' and 'python3 ./scripts/bundle.py --manifest temp/red-team-review-[topic-name]/file-manifest.json'). This allows a malicious user to execute arbitrary commands by including shell metacharacters in the topic name.\n- [PROMPT_INJECTION]: Indirect prompt injection surface identified. The skill ingests untrusted project files and user input to create a single context bundle for external LLMs. 1. Ingestion points: Source files listed in 'file-manifest.json' and threat model descriptions from the user. 2. Boundary markers: Uses Markdown headers and code fences (e.g., '## File: path' and '```lang') but lacks explicit instructions to ignore embedded instructions. 3. Capability inventory: The skill has Bash execution, file writing, and recursive file reading capabilities. 4. Sanitization: No sanitization or escaping of the content from bundled files is implemented, which could allow instructions hidden in the codebase to manipulate the receiving AI's output.\n- [COMMAND_EXECUTION]: Dynamic script loading in 'scripts/manifest_manager.py'. The script modifies the Python 'sys.path' at runtime to include the project root and then attempts to import 'bundle_files' and path resolution helpers. This can lead to local code execution if a malicious file with a conflicting name is placed in the project directory where the skill is run.\n- [DATA_EXFILTRATION]: Risk of sensitive data exposure through bundling. While the scripts include default ignore patterns for '.env' and '.git' directories, the manifest-based bundling approach allows an agent or user to consolidate any accessible project files (such as SSH configurations or internal credentials) into a single artifact, facilitating easier extraction of sensitive information.

red-team-bundler