The Agent Skills Directory

[COMMAND_EXECUTION]: The regex_replace function in scripts/mutation.py is vulnerable to command injection. It constructs a sed expression using string interpolation of the pattern and replacement arguments. In environments using GNU sed, an attacker can inject the e flag into the substitution command (e.g., by crafting a replacement string like payload|e) to execute arbitrary shell commands.
[COMMAND_EXECUTION]: The regex_replace tool in scripts/mutation.py explicitly includes an outside parameter that, when set to true, allows the agent to modify files outside the project root. This bypasses the intended security sandbox and enables the modification of sensitive system files, configuration files, or user profiles (e.g., ~/.bashrc).
[DATA_EXFILTRATION]: The smart_search and smart_find tools in scripts/search.py resolve the search_root parameter without verifying that the resulting path is within the project boundaries. This allows an agent to search and retrieve content from any directory the process can access, potentially exposing credentials, SSH keys, or other sensitive system data.
[PROMPT_INJECTION]: The skill represents a significant surface for indirect prompt injection.
Ingestion points: scripts/search.py (via smart_search and smart_find) and scripts/mutation.py (via batch_replace) ingest file contents from the local filesystem.
Boundary markers: None. The tools do not use delimiters or instructions to ignore embedded commands in the processed data.
Capability inventory: The skill has powerful capabilities including arbitrary command execution via subprocess (rg, fd, sed) and direct file writing via Path.write_text.
Sanitization: None. Data retrieved from the codebase is passed directly back to the agent context without escaping or validation.

advanced_tools