The Agent Skills Directory

[EXTERNAL_DOWNLOADS] (HIGH): The skill references suspicious or hallucinated NPM packages. In references/gemini-cli.md, it instructs the user to run npm install -g @anthropic-ai/gemini-cli, which incorrectly uses the Anthropic vendor scope for a Google product. In references/codex-cli.md, it references @openai/codex, which is not a standard OpenAI package.
[COMMAND_EXECUTION] (HIGH): The skill systematically encourages users to bypass security guardrails using 'YOLO' flags such as --yolo, --dangerously-skip-permissions, and --dangerously-bypass-approvals-and-sandbox. These flags allow the AI to execute shell commands and modify files without any user confirmation.
[REMOTE_CODE_EXECUTION] (HIGH): The 'Headless' automation patterns provided (e.g., piping untrusted files directly into AI tools with YOLO mode enabled) create a direct path for attackers to execute code on the host system via Indirect Prompt Injection.
[PROMPT_INJECTION] (LOW): The skill has a high surface area for Indirect Prompt Injection (Category 8). Evidence: 1. Ingestion points: File piping via cat in examples (SKILL.md). 2. Boundary markers: Absent. 3. Capability inventory: Full shell access and file writing enabled via YOLO modes across all referenced tools. 4. Sanitization: None. This vulnerability allows external data to hijack the agent's high-privilege CLI session.

headless-cli