The Agent Skills Directory

[Command Execution] (LOW): The Bash CLI template is vulnerable to SQL injection. The search function directly interpolates user-provided arguments into a SQLite query string without escaping or sanitization. Evidence: WHERE chunks_fts MATCH '$1' in the search() bash function. This allows a user or a malicious query to execute arbitrary SQL commands on the local database.
[Indirect Prompt Injection] (LOW): The skill processes untrusted document collections, making it vulnerable to malicious instructions embedded in documents (e.g., PDF or Word files). 1. Ingestion points: extract_pdf_text in SKILL.md reads content from local file paths provided by the user. 2. Boundary markers: Absent. The skill chunks and indexes raw text without delimiters or warnings to downstream agents. 3. Capability inventory: File system read access via pathlib and local database persistence via sqlite3. 4. Sanitization: Absent. Extracted text is inserted directly into the FTS5 index without filtering or validation.

knowledge-base-builder