The Agent Skills Directory

[Obfuscation] (MEDIUM): The skill consistently uses '$' as a delimiter/obfuscator in file paths (e.g., '.$vectors.db'), package names (e.g., 'agentic-flow$reasoningbank'), and external URLs (e.g., 'https:/$github.com$ruvnet'). This is a deceptive practice used to evade static analysis of network destinations and dependency trees.
[Remote Code Execution] (MEDIUM): The documentation repeatedly instructs users to run 'npx agentdb@latest', which downloads and executes arbitrary code from the npm registry. Neither the author ('ruvnet') nor the package 'agentdb' are in the trusted sources list, making this a high-risk operation for unverified remote code execution.
[Persistence Mechanisms] (MEDIUM): The skill recommends adding an MCP server ('claude mcp add agentdb npx agentdb@latest mcp'). This persists the execution of the untrusted 'agentdb' package by ensuring it runs every time the agent initializes, creating a long-term execution bridge on the host system.
[Indirect Prompt Injection] (LOW): The 'ragQuery' implementation surface allows untrusted external data (retrieved context) to be interpolated directly into LLM prompts without sanitization or boundary markers.
Ingestion points: Document content retrieved from 'db.searchSimilar' used in 'ragQuery' (SKILL.md).
Boundary markers: Absent; the prompt uses simple string concatenation.
Capability inventory: 'llm.generate' executes based on the polluted prompt.
Sanitization: None provided in the example code.

AgentDB Vector Search