The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts/execute.py file uses subprocess.run to execute TypeScript files using runners such as tsx or ts-node. This functionality allows for the execution of arbitrary commands on the host system.
[REMOTE_CODE_EXECUTION]: The skill implements a pattern where the agent writes code to a workspace directory and then executes it. This provides a direct mechanism for running arbitrary logic that could be influenced by malicious prompts or external data.
[DATA_EXFILTRATION]: The servers/mcp-client.ts utility includes the httpToolCall function, which uses the fetch API to send data to external HTTP endpoints. These endpoints are determined by configuration files or environment variables, posing a risk of unauthorized data transmission.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes data from external MCP servers without applying sanitization or boundary markers.
Ingestion points: Data enters the context through wrappers like servers/example-server/fetchData.ts.
Boundary markers: No delimiters or instructions to ignore embedded commands are present in the template wrappers.
Capability inventory: The skill is configured with access to powerful tools, including Bash, Write, and Edit.
Sanitization: The implementation lacks logic to validate or sanitize tool outputs before they are processed by the agent.

mcp-code-execution-template