The Agent Skills Directory

[COMMAND_EXECUTION]: The SandboxedExecution class uses subprocess.run with shell=True. While it attempts to validate commands against an allowed list, the logic is flawed as shell metacharacters (e.g., ;, &&) can be used in the command arguments to execute unauthorized secondary commands after a legitimate one.
[REMOTE_CODE_EXECUTION]: The MCPAgent pattern implements a method that uses an LLM to generate Python code, writes it to a file, and then dynamically loads it. This creates a direct pathway for arbitrary code execution if the LLM output is manipulated or if the input description contains malicious instructions.
[DATA_EXFILTRATION]: Multiple tools, including ReadFileTool and EditFileTool, enable direct reading and writing of files using absolute paths. The ContextManager can ingest entire directories into the agent's context, which could lead to the unauthorized exposure of sensitive files such as SSH keys, configuration secrets, or environment files.
[EXTERNAL_DOWNLOADS]: The ContextManager uses the requests library to fetch content from external URLs. This functionality allows the agent to pull remote content into its reasoning loop, which could include malicious payloads or hidden instructions.
[PROMPT_INJECTION]: The skill architecture is susceptible to Indirect Prompt Injection through the ingestion of untrusted external data.
Ingestion points: ContextManager.add_url and ContextManager.add_file ingest data from the web and filesystem respectively.
Boundary markers: No explicit boundary markers or safety instructions are used when interpolating external content into the LLM prompt context.
Capability inventory: The agent has access to subprocess execution, filesystem read/write, network requests, and browser automation.
Sanitization: The provided validation mechanisms for paths and shell commands are insufficient to prevent exploitation of the system's capabilities by an attacker providing malicious input through a processed file or URL.

autonomous-agent-patterns