The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: Automated scans identified dangerous command patterns where network output is piped directly to an interpreter (curl | python3). While these are configured for local communication with the user's MCP server on localhost, the pattern remains a high-risk practice that could be exploited if the local service is compromised or the port is hijacked.\n- [EXTERNAL_DOWNLOADS]: The skill relies on downloading and executing code from the internet via npx -y agentation-mcp without version pinning. This exposes users to supply chain risks and the execution of unverified remote code from an untrusted third-party author.\n- [COMMAND_EXECUTION]: The skill requests broad permissions including Bash and Write capabilities. It includes setup scripts that modify hidden configuration files in the user's home directory (e.g., ~/.claude/settings.json, ~/.gemini/settings.json) to install hooks that automatically execute shell and Python commands on every agent interaction.\n- [PROMPT_INJECTION]: The skill exhibits a significant attack surface for indirect prompt injection. It ingests arbitrary text (comments) provided by humans via a browser UI and presents them to the agent as instructions. An attacker could inject malicious commands into these comments, which the agent might then execute using its system tools.\n
Ingestion points: User-provided comments enter the agent's context through the agentation_watch_annotations tool.\n
Boundary markers: Absent. The skill does not use delimiters or instructions to isolate user-provided content from agent instructions.\n
Capability inventory: The agent has access to Bash, Write, Grep, and Glob tools, allowing for high-impact exploitation.\n
Sanitization: No validation or sanitization is performed on the ingested comment text.

agentation