The Agent Skills Directory

[COMMAND_EXECUTION]: The skill defines a tool run_command_sync that takes a command string and executes it directly in a shell environment. This capability allows an agent or an attacker to perform any action the underlying user account is permitted to do, including modifying system files or installing malicious software.
Evidence: The arguments schema in SKILL.md requires a command property of type string with no validation patterns or allowed-lists.
[DATA_EXFILTRATION]: The skill is designed to return the full output of the executed command back to the agent. This facilitates the reading of sensitive files such as SSH keys, environment variables, or application secrets if the provided command targets those files.
Evidence: The tool description explicitly states it "returns full output" of the synchronous shell command.
[PROMPT_INJECTION]: The skill presents a high vulnerability surface for indirect prompt injection because it ingests untrusted strings into a high-privilege execution environment (shell). A malicious input could result in the execution of secondary payloads.
Ingestion points: The command argument in SKILL.md.
Boundary markers: None present; the command is passed directly to the execution manager.
Capability inventory: Shell execution via run_command_sync with the ability to return results.
Sanitization: None provided in the skill definition.

background-process-run-command-sync