The Agent Skills Directory

[COMMAND_EXECUTION]: A critical code injection vulnerability exists in Phase 5, Tier 2, and Tier 3, where the $INPUT_FILE shell variable is directly interpolated into a Python command string passed to python3 -c. A malicious user or an attacker-controlled filename (e.g., filename'); import os; os.system('...'); #) can escape the open() call to execute arbitrary Python and shell commands.
[EXTERNAL_DOWNLOADS]: The skill fetches the yake and scikit-learn packages from the official Python Package Index (PyPI) at runtime using uv run --with. These dependencies are not pinned to specific versions or cryptographic hashes, which is a violation of best practices for deterministic and secure execution.
[REMOTE_CODE_EXECUTION]: The combination of the Python injection vulnerability and the ability to download external packages at runtime allows for the execution of arbitrary code derived from external sources or crafted locally.
[PROMPT_INJECTION]: The skill processes untrusted terminal recording data from .txt files without sanitization or boundary markers, creating a surface for indirect prompt injection that could influence the agent's behavior during analysis reporting.
Ingestion points: Terminal recording files processed by rg, awk, and Python scripts in SKILL.md (Phases 4-6) and references/analysis-tiers.md.
Boundary markers: None; the skill does not use delimiters or instructions to ignore embedded commands in the source data.
Capability inventory: Subprocess execution via Bash (including rg, fd, awk, and uv run), file system access via Read, and dynamic Python execution.
Sanitization: No validation or escaping is applied to input data before it is interpolated into shell commands or Python scripts.

asciinema-analyzer