The Agent Skills Directory

[DATA_EXFILTRATION] (HIGH): The run_query tool in SKILL.md is vulnerable to SQL injection. It constructs database queries using direct string interpolation: db.query(`${query} LIMIT ${limit}`). The validation check startsWith("SELECT") is insufficient as it can be bypassed using subqueries or stacked statements to access sensitive tables or perform unauthorized actions.
[DATA_EXFILTRATION] (MEDIUM): The search_files tool allows for potential information disclosure. It accepts a directory parameter and uses it as the current working directory for a glob search without validating that the path stays within a restricted project root. This could be used to map out sensitive system files.
[PROMPT_INJECTION] (LOW): The review-code prompt template is susceptible to indirect prompt injection (Category 8). It takes untrusted code diffs and interpolates them directly into a user message without delimiters or protective instructions. Evidence Chain: 1. Ingestion point: diff parameter in review-code. 2. Boundary markers: Absent. 3. Capability inventory: Database access (run_query) and file system mapping (search_files). 4. Sanitization: Absent.
[EXTERNAL_DOWNLOADS] (LOW): The skill imports @modelcontextprotocol/sdk. Although this is a recognized protocol framework, the package source is not on the pre-approved trusted organization list, and dependencies are not pinned to specific versions.

mcp-development