The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The skill dynamically locates and executes a Python script ('generate_report.py') using a 'find' command in the user's home directory. This constitutes loading and executing code from a computed path.
Evidence: SKILL.md Phase 5 uses 'REPORT_SCRIPT=$(find ~/.claude/skills/askprisma/scripts ... -name generate_report.py ...) ; python "$REPORT_SCRIPT"'.
Risk: An attacker with local write access to these paths could place a malicious script that the agent would then execute with user privileges.
[EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructs the agent to install missing Python libraries at runtime using pip.
Evidence: SKILL.md Phase 3 states 'install missing packages with pip if needed'. Coding-patterns.md states 'If a library is missing: pip install library_name'.
Risk: This could lead to the installation of malicious packages via dependency confusion or typosquatting attacks if the agent incorrectly identifies a package name.
[PROMPT_INJECTION] (LOW): The skill processes untrusted external data (CSV, Excel, SQL) and interpolates it into analysis and reports without sanitization or boundary markers (Indirect Prompt Injection).
Ingestion points: 'pd.read_csv', 'pd.read_sql', and glob-based file discovery in 'coding-patterns.md'.
Boundary markers: Absent. No instructions to use XML delimiters or safety warnings for data processing.
Capability inventory: Shell command execution, Python execution (via Bash), and local script execution.
Sanitization: None mentioned for data content or the generated JSON report input.
Risk: Maliciously crafted data files could attempt to influence the agent's behavior or inject malicious content into generated PDF reports.
[REMOTE_CODE_EXECUTION] (MEDIUM): The combination of 'pip install' and the execution of dynamically discovered scripts allows for the introduction and execution of code not originally packaged with the skill.

askprisma