The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill's decompilation strategy in 'references/DECOMPILE_STRATEGY.md' directs the download of a JAR decompiler from 'https://xget.xi-xu.me/gh/leibnitz27/cfr/releases/download/0.152/cfr-0.152.jar'. This URL contains a typosquatted account name ('leibnitz27' vs the official 'leibniz27') and has been blacklisted by automated security scanners as malicious.
[REMOTE_CODE_EXECUTION]: The workflow involves executing the downloaded decompiler via 'java -jar'. Executing a binary from a typosquatted and confirmed malicious source allows for arbitrary code execution on the host machine, potentially leading to a full system takeover.
[COMMAND_EXECUTION]: The skill utilizes shell commands including 'grep', 'find', and 'xargs' to audit project files. While these are common for auditing tasks, their integration into a workflow that downloads and executes malicious third-party binaries poses a high security risk.
[PROMPT_INJECTION]: The skill demonstrates a surface for indirect prompt injection by ingesting and processing untrusted Java source code and compiled classes. 1. Ingestion points: Local source files and decompiled bytecode. 2. Boundary markers: Absent; there are no clear delimiters or instructions to ignore embedded commands in audited files. 3. Capability inventory: Access to shell execution and the ability to trigger other auditing tools. 4. Sanitization: No evidence of validation or sanitization of the content before it is processed by the agent.

java-file-read-audit