The Agent Skills Directory

[COMMAND_EXECUTION]: The replace command in text.sh is vulnerable to sed script injection. User-provided patterns and replacements are directly interpolated into the sed command string (e.g., sed "s/$PATTERN/$REPLACEMENT/g"). An attacker can use the / delimiter to terminate the substitution and inject additional sed commands. In environments where GNU sed is used, the e flag can be exploited to execute arbitrary shell commands.
[DATA_EXFILTRATION]: Due to the sed injection vulnerability, an attacker can use the r (read) or w (write) commands within the manipulated sed script to access or exfiltrate sensitive files from the system or modify existing configuration files.
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because it processes raw text from external files without sanitization.
Ingestion points: The get_input function in text.sh reads data directly from user-specified files or standard input.
Boundary markers: There are no boundary markers or instructions used to prevent the agent from being influenced by malicious instructions embedded in the text being processed.
Capability inventory: The skill utilizes powerful system utilities including sed, awk, python3, sort, tr, and xxd.
Sanitization: While the script attempts to escape some characters for literal replacements, it lacks validation for regex-based replacements, leaving the system open to the injection vectors described above.

text-tools