The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill downloads code from an external, non-vendor GitHub repository.
Evidence: The file scripts/install-skill-seekers.sh contains commands to clone a repository from https://github.com/yusufkaraaslan/Skill_Seekers into the user's home directory.
Evidence: SKILL.md identifies this repository as a required dependency for the 'automated' creation path.
[REMOTE_CODE_EXECUTION]: The skill executes code and installs dependencies from an untrusted source.
Evidence: scripts/install-skill-seekers.sh runs pip3 install -r requirements.txt on files downloaded from the unverified GitHub repository.
Evidence: The same script prompts the user to execute ./setup_mcp.sh from the downloaded repository, which allows for arbitrary shell command execution.
[COMMAND_EXECUTION]: The skill programmatically executes downloaded scripts and system commands.
Evidence: references/skill-seekers-integration.md describes a logic where subprocess.Popen is used to run cli/doc_scraper.py from the downloaded Skill_Seekers directory.
Evidence: The scripts/check-skill-seekers.sh file executes python3 -c "import cli.doc_scraper" to verify the state of the downloaded code.
[PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection attacks due to its data ingestion model.
Ingestion points: The skill ingests untrusted data by scraping documentation from arbitrary URLs provided in the user request (e.g., react.dev, docs.rs).
Boundary markers: There are no explicit boundary markers or instructions to ignore malicious embedded commands in the ingested documentation content.
Capability inventory: The skill has powerful capabilities including writing new skill files to the filesystem (~/.claude/skills/), executing shell commands via scripts, and downloading external code.
Sanitization: There is no evidence of sanitization, filtering, or escaping of the scraped documentation content before it is used to generate new skill instructions.

skill-factory