The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The script orders/index.js is vulnerable to shell command injection. The main function extracts a substring from the order.timestamp field of a user-provided JSON file and passes it directly into a shell command executed via execSync in the gh function. An attacker can craft a malicious timestamp value (e.g., "; touch /tmp/pwned; #") to execute arbitrary system commands with the privileges of the agent.\n- DATA_EXFILTRATION (HIGH): The skill performs unauthorized sensitive file access. The parseEnv function in orders/index.js attempts to read ../../../.env. This path traversal targets environment files outside the skill's own directory, which often contain sensitive API keys, database credentials, or system secrets.\n- PROMPT_INJECTION (LOW): The skill presents an indirect prompt injection surface. 1. Ingestion points: Untrusted customer and order data from JSON files. 2. Boundary markers: None used when constructing the markdown output. 3. Capability inventory: Ability to post and update comments on GitHub repositories via the gh CLI. 4. Sanitization: None; the script directly interpolates JSON fields like customer and sandwich into markdown headers and tables, allowing an attacker to embed malicious instructions for downstream agents or users.

subway