The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill provides instructions and scripts in 'references/installation-workflow.md' that direct the agent to download and execute arbitrary code. Specifically, the workflow includes cloning repositories ('gh repo clone') and executing setup scripts ('bash setup.sh') or installing dependencies ('npm install', 'pip install') from any GitHub repository found via search results. Since these sources are untrusted and external, this allows for the execution of malicious remote scripts.
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection. Its primary workflow involves fetching and 'actually reading' the contents of SKILL.md files from arbitrary GitHub repositories (as described in Phase 3 and 4 of 'SKILL.md'). If a fetched file contains malicious instructions designed to override agent behavior, the agent could be compromised while evaluating the skill's quality.
[COMMAND_EXECUTION]: The skill makes extensive use of the GitHub CLI ('gh') and shell utilities ('grep', 'sed', 'jq', 'base64', 'bc') to process data from external sources. It frequently pipes output from internet-facing requests directly into decoders and local files (e.g., 'gh api ... | base64 -d > temp_skill.md'). This reliance on shell commands for processing untrusted external data creates a significant attack surface for command injection if repository names or file contents are maliciously crafted.
[EXTERNAL_DOWNLOADS]: The skill systematically downloads content from the GitHub API and clones external repositories into the user's environment ('.claude/skills/'). These downloads are triggered by user queries and can target any public repository, increasing the risk of ingesting malicious files.

skill-finder