The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts/debug_server.js script executes shell commands (lsof and kill -9) for port management. While the port number is sanitized, executing process management commands via the shell is a high-privilege pattern that can be risky in certain environments.\n- [COMMAND_EXECUTION]: The scripts debug_server.js and debug_cleanup.js are vulnerable to path traversal. The sessionId parameter is concatenated into filesystem paths without sanitization (e.g., path.join(LOG_DIR, 'debug-' + sessionId + '.log')). This allows the skill to create or delete .log files in arbitrary locations by using ../ sequences.\n- [DATA_EXFILTRATION]: The log server (debug_server.js) starts an unauthenticated HTTP service on port 8787 with permissive CORS headers (Access-Control-Allow-Origin: '*'). This allows any local process or browser-based application to inject data into the server, which is then stored on the host filesystem.\n- [PROMPT_INJECTION]: The skill instructs the agent to read and interpret application logs, which are composed of untrusted data from the application's runtime environment, creating a surface for indirect prompt injection.\n
Ingestion points: The agent reads log files using the cat command as specified in SKILL.md (e.g., cat /path/to/project/.debug/debug-$SESSION_ID.log).\n
Boundary markers: Absent. Log data is processed as raw text without delimiters or instructions to ignore embedded commands.\n
Capability inventory: The agent has access to shell execution (node, curl, cat), system process termination (kill), and filesystem modification via the provided scripts.\n
Sanitization: Absent. Neither the logs nor the sessionId used to access them are sanitized for malicious patterns or path traversal.

vs-debug-mode