The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill interpolates the $ARGUMENTS variable directly into Bash command strings in SKILL.md (e.g., patrol test --target integration_test/$ARGUMENTS). A malicious input containing shell metacharacters (e.g., ;, &, |) would allow an attacker to execute arbitrary system commands with the agent's privileges.
[REMOTE_CODE_EXECUTION] (HIGH): The skill is designed to run Flutter/Patrol integration tests from the local filesystem. This constitutes a significant attack surface for Indirect Prompt Injection (Category 8). Malicious code embedded in the integration_test/ directory of an untrusted repository would be executed by the agent during the test run. There are no boundary markers or sanitization steps to mitigate this risk when handling external codebases.
[EXTERNAL_DOWNLOADS] (LOW): The skill triggers the download of Android system images via sdkmanager and Playwright browser binaries via the patrol CLI. While these represent external code execution, the sources (Google and Microsoft/Patrol) are within the Trusted External Source scope, downgrading this specific finding per [TRUST-SCOPE-RULE].
[COMMAND_EXECUTION] (MEDIUM): The setup instructions in setup/android-setup.md encourage the modification of the PATH and JAVA_HOME environment variables. If an agent applies these instructions in a multi-user or shared environment without validation, it could lead to binary hijacking or privilege escalation.

patrol