The Agent Skills Directory

[COMMAND_EXECUTION]: A command injection vulnerability exists in the runCommand function within tunnel-manager.js. The script uses child_process.spawn with the { shell: true } option while passing unsanitized user input from command-line arguments such as --name. An attacker can inject shell metacharacters (e.g., ;, &, |) into arguments to execute arbitrary code on the host machine.
[DATA_EXFILTRATION]: The skill facilitates the exposure of local network ports to the public internet via Cloudflare, Tailscale, or Ngrok. If an agent is manipulated into exposing a port running a sensitive service (like a database or internal API), it could result in unauthorized external access to private data.
[PROMPT_INJECTION]: The skill exhibits a significant attack surface for indirect prompt injection.
Ingestion points: Untrusted data can enter the system via the command-line arguments parsed in tunnel-manager.js, such as --name or --subdomain.
Boundary markers: There are no delimiters or validation logic to prevent malicious input from being interpreted as shell commands within the subprocess environment.
Capability inventory: The script has the ability to spawn background processes (cloudflared, tailscale, ngrok), manage their lifecycles (kill processes), and write state information to the user's home directory (~/.config/agent/tunnels/).
Sanitization: The script lacks any sanitization or escaping of input strings before they are used in shell command construction, relying only on a basic integer parse for the --port argument.
[EXTERNAL_DOWNLOADS]: The skill references external CLI tools from Cloudflare, Tailscale, and Ngrok. These are well-known technology providers and their official tools are considered safe sources, though the skill itself does not automate their download.

tunnel-manager