The Agent Skills Directory

[Dynamic Execution] (HIGH): The skill generates Python scripts in scripts/wrapper.py by directly interpolating the repository name into a code template. An attacker can craft a malicious GitHub URL where the repository name contains Python code (e.g., using quotes and semicolons), leading to arbitrary code execution when the generated script is run. Evidence: create_github_skill.py lines 53-61.
[Indirect Prompt Injection] (LOW): The skill ingests untrusted README content from external repositories and includes it in the generated SKILL.md for agent analysis. A malicious README could contain prompt injection attacks designed to manipulate the agent's behavior during the skill creation process. 1. Ingestion points: fetch_github_info.py fetches README content via urllib.request. 2. Boundary markers: Absent; README content is directly inserted into SKILL.md without delimiters. 3. Capability inventory: File system writes, directory creation, and placeholder script generation in create_github_skill.py. 4. Sanitization: Inadequate; only length truncation (10k characters) is performed on the ingested content.
[External Downloads] (SAFE): The skill makes network requests to github.com and raw.githubusercontent.com to fetch repository metadata. These are trusted external sources per policy, so the download activity itself is considered safe. Evidence: fetch_github_info.py lines 24 and 39.

github-to-skills