The Agent Skills Directory

Dynamic Execution (HIGH): The scripts test-routing.sh, test-fallback.sh, troubleshoot.sh, and validate-env-config.sh utilize the source command on file paths provided as arguments. This allows for arbitrary command execution (RCE) within the agent's shell environment because source interprets and executes the content of the target file as shell code, rather than simply parsing it for key-value pairs.
Data Exposure & Exfiltration (MEDIUM): The skill's primary function involves handling the OPENROUTER_API_KEY and transmitting it via curl to https://openrouter.ai. While this domain is relevant to the skill's purpose, it is not on the trusted whitelist, and the ability to execute arbitrary code via the source vulnerability significantly increases the risk that these credentials could be exfiltrated to an attacker-controlled endpoint.
Indirect Prompt Injection (MEDIUM):
Ingestion points: Data is ingested from the OpenRouter API (model lists, usage stats) via curl in check-model-availability.sh, check-provider-status.sh, and analyze-usage.sh.
Boundary markers: No delimiters or 'ignore instructions' warnings are present in the scripts' output.
Capability inventory: The skill has access to Bash execution, file system operations (Read/Write/Glob), and network access.
Sanitization: While jq is used for JSON parsing, the resulting text is directly output to the agent, potentially allowing malicious API responses to influence the agent's subsequent actions.

openrouter-config-validator