The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The skill directs the agent to execute a Python script using the Bash tool with arguments (name, text, keyword) derived directly from user input. This creates a potential for shell command injection if a user provides malicious characters like ';', '&', or '$()' that are not correctly escaped by the agent before execution.
[DATA_EXFILTRATION] (LOW): The script manage_snippets.py contains a hardcoded absolute path: '/Users/douba/Downloads/Snippets 2026-01-11 21.15.35.json'. This exposes the developer's username and targets a specific file in the Downloads folder. While this is the intended functionality, hardcoding paths to user-sensitive directories (where snippets may contain credentials) is a security risk.
[PROMPT_INJECTION] (LOW): SKILL.md contains forceful instructions ('IMPORTANT: You must use the Bash tool... Do not just display it') to override the agent's default behavior of showing code rather than executing it. While functional, this pattern reduces the agent's safety margin.
[INDIRECT_PROMPT_INJECTION] (LOW): The skill is vulnerable to malicious data in the snippet content. 1. Ingestion points: User-provided strings for the snippet name, text, and keyword in SKILL.md. 2. Boundary markers: The command template uses double quotes, but does not provide logic for escaping nested quotes. 3. Capability inventory: Execution of arbitrary commands via Bash tool, file system read/write via manage_snippets.py. 4. Sanitization: Absent at the shell execution level; the Python script relies on argparse which only protects once the script is successfully called.

raycast-snippets