The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the user to build and run a Docker container with host volume mounting (-v $(pwd):$(pwd)). This setup allows the container (running as root by default in the provided Dockerfile) to write to any location within the mapped project directory on the host machine.
[COMMAND_EXECUTION]: The server.js implementation performs unvalidated file system operations. Specifically, it uses payload.logFile directly from a POST request body to create directories (fs.mkdirSync) and append data (fs.appendFileSync). An attacker could provide a path like ../../.ssh/authorized_keys or ../../.bashrc to achieve persistence or unauthorized file modification on the host, as the server lacks path sanitization.
[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8). It ingests untrusted runtime data (logs from the application being debugged) and instructs the agent to analyze this data to form 'confirmed' or 'rejected' conclusions. If an application being debugged output malicious strings into the log file, it could influence the agent's logic during the Step 4 'Analyze Logs' phase. The skill lacks explicit boundary markers or sanitization for this log ingestion.
[EXTERNAL_DOWNLOADS]: The skill requires the user to build a Docker image from a local Dockerfile and run it. While the code is provided within the skill, the pattern of encouraging users to run local servers that bypass standard security boundaries (CORS: '*') increases the local attack surface.
[DATA_EXFILTRATION]: The instrumentation logic for JS/TS uses fetch to send potentially sensitive runtime data (variable values, stack traces) to a local server. While targeted at 127.0.0.1, this pattern could be easily modified to exfiltrate data to a remote endpoint.

runtime-evidence-debugger