The Agent Skills Directory

[COMMAND_EXECUTION]: The skill invokes emacsclient --eval using the Bash tool. The user-provided query is interpolated directly into a Lisp string template within the shell command. This allows an attacker to perform Lisp injection by including closing quotes and parentheses (e.g., ") (shell-command "... ") ") to execute arbitrary commands on the host system.
[REMOTE_CODE_EXECUTION]: Because Emacs Lisp has full access to the underlying system via functions like shell-command or call-process, the injection vulnerability in the emacsclient call facilitates full remote code execution in the context of the running Emacs process.
[DATA_EXFILTRATION]: The agent-skill-describe.el script uses symbol-value to retrieve and return the contents of any Emacs variable. An attacker can use this to exfiltrate sensitive information stored in Emacs memory, such as API keys, environment variables, or authentication tokens (e.g., querying variables like auth-sources or process-environment).
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It retrieves documentation strings from the Emacs environment and passes them to the LLM for summarization. If documentation for a function or variable has been tampered with (e.g., by a malicious third-party Emacs package), it could contain instructions that manipulate the agent's behavior during the summary phase.

describe