The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/autocorrect.ts performs shell command execution with unsanitized input. The filePath variable is interpolated directly into a template string passed to execSync, allowing an attacker to execute arbitrary commands by providing a file name containing shell metacharacters.
Evidence: execSync(npx autocorrect-node --fix "${filePath}", { stdio: "inherit" }); in scripts/autocorrect.ts.
Evidence: The backup logic in SKILL.md (Step 6) also uses unescaped file paths in a Bash script: mv "{filename}-formatted.md" "{filename}-formatted.backup-$(date +%Y%m%d-%H%M%S).md".
[EXTERNAL_DOWNLOADS]: The skill relies on npx to fetch and execute external packages (autocorrect-node and bun) at runtime without version pinning or integrity checks. This introduces a supply chain risk where the agent could execute malicious code if the package name is hijacked or the registry is compromised.
Evidence: Use of npx autocorrect-node in scripts/autocorrect.ts and npx -y bun in SKILL.md.
[REMOTE_CODE_EXECUTION]: The combination of unsanitized command execution and the dynamic downloading of remote packages creates a high risk of remote code execution on the host system.
[PROMPT_INJECTION]: The skill processes untrusted user-provided content to generate metadata, titles, and summaries, creating an attack surface for indirect prompt injection.
Ingestion points: Reading user-specified markdown or plain text files (SKILL.md Step 1).
Boundary markers: Absent; there are no delimiters or instructions to ignore instructions embedded within the processed file.
Capability inventory: The skill has the ability to read/write files and execute shell commands.
Sanitization: No sanitization is performed on the ingested content before it is processed by the LLM or used in script logic.

tuzi-format-markdown