The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The file references/find-polluter.sh is an executable shell script provided within the skill. It executes npm test on files identified via find. While intended for local debugging, providing executable scripts that run shell commands increases the attack surface if an agent is tricked into running the script on unintended paths.
[DATA_EXFILTRATION] (HIGH): The documentation in references/phase-1-investigation.md explicitly instructs the agent to run env and security list-keychains to gather diagnostic evidence. In an AI agent context, dumping environment variables and keychain identities into the conversation history or logs is a high-risk activity that can lead to the exposure of sensitive API keys and credentials.
[PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8) because its primary purpose is to process external, untrusted data (error messages, logs, bug reports) and use that information to 'Implement single fix' (Phase 4). This combination of untrusted data ingestion and code-writing capability is a high-severity vulnerability.
Ingestion points: SKILL.md (Phase 1: Read errors), references/phase-1-investigation.md (Diagnostic instrumentation output).
Boundary markers: Absent. There are no instructions to delimit or sanitize external logs from the agent's instructions.
Capability inventory: references/find-polluter.sh (shell execution), Phase 4 (Code modification/file write permissions).
Sanitization: Absent. The skill does not provide methods for escaping or validating the content of error logs before the agent acts on them.

systematic-debugging