The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses sed to interpolate user-provided strings into template files (e.g., sed "s/{{DESCRIPTION}}/$DESCRIPTION/g"). Since these variables are not sanitized, a malicious user could provide input containing shell metacharacters or sed delimiters, potentially leading to arbitrary command execution or file corruption during the generation process.
[COMMAND_EXECUTION]: The skill performs filesystem modifications by using ln -sf to link generated skill folders into global configuration paths for GitHub Copilot CLI and Claude Code. This allows the skill to install persistent extensions to the agent's environment without explicit confirmation of the linked content's safety.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. Ingestion points: User input for purpose and description in Phase 1 of the skill workflow. Boundary markers: None used during file generation. Capability inventory: The skill uses sed, mkdir, and ln to create and install instruction files. Sanitization: Only the skill name is sanitized via kebab-case conversion; the description and purpose are injected as raw strings into SKILL.md. This allows an attacker to persist malicious instructions into the core definition of the newly created skill.
[COMMAND_EXECUTION]: The scripts/init_skill.py script automatically creates new Python files and uses chmod 0o755 to make them executable. This capability could be abused to deploy and execute unauthorized scripts if the generation process is subverted.
[COMMAND_EXECUTION]: The skill's workflow depends on external shell scripts (such as scripts/validate-skill-yaml.sh) that are not included in the provided skill package, creating an unverified dependency on external execution logic.

skill-creator