The Agent Skills Directory

[EXTERNAL_DOWNLOADS] (MEDIUM): The templates/package.json file includes a dependency on agents (version ^0.2.20). The public npm registry package with this name is a legacy, unrelated tool. The skill's code expects an agents/mcp module, suggesting it refers to an internal or specific SDK. Using un-scoped, generic package names in package.json without a private registry specified creates a risk of dependency confusion attacks.
[PROMPT_INJECTION] (HIGH): Category 8: Indirect Prompt Injection. The mcp-oauth-proxy.ts file implements tools that interact with the GitHub API, creating a high-risk vulnerability surface.
Ingestion points: list_repos, get_repo, and create_issue tools ingest untrusted data from GitHub (e.g., repository names, descriptions, and issue contents).
Boundary markers: None. There are no delimiters or instructions to the agent to ignore embedded instructions within the processed GitHub data.
Capability inventory: The skill includes high-privilege operations such as octokit.rest.issues.create and octokit.rest.repos.delete.
Sanitization: Data is validated for type using Zod, but the natural language content is not sanitized or escaped before being presented to the agent, allowing malicious instructions in a GitHub repo description to potentially influence the agent's actions (e.g., tricking the agent into deleting a repository).
[COMMAND_EXECUTION] (HIGH): The mcp-oauth-proxy.ts template includes a delete_repo tool. While it implements a basic allowlist check (ALLOWED_USERNAMES), the presence of such a destructive capability in a tool that processes untrusted external data significantly increases the impact of potential exploitation.
[CREDENTIALS_UNSAFE] (LOW): The templates and documentation use placeholders (e.g., YOUR_JWT_TOKEN_HERE, YOUR_KV_ID) and emphasize the use of wrangler secret put for sensitive values. No hardcoded production secrets were detected.

cloudflare-mcp-server