The Agent Skills Directory

[COMMAND_EXECUTION]: The installer script bin/cli.mjs (intended for use via npx master-skill install) is vulnerable to path traversal. The name argument is concatenated directly into file system paths for directory creation, copying, and deletion (fs.rmSync) without sanitization. This allows an attacker to manipulate files outside the intended skill directories (e.g., using ../../ sequences).
[COMMAND_EXECUTION]: Instructions in the root SKILL.md direct the agent to construct and execute shell commands (e.g., calling sutra_collector.py and master_builder.py) using unvalidated user input such as the master's name and tradition. This presents a surface for command injection if the agent executes the shell string with malicious user-supplied metacharacters.
[REMOTE_CODE_EXECUTION]: The skill explicitly instructs the agent to "directly use Python to call the FoJin REST API" by writing and executing custom scripts if the pre-built tools are insufficient. Directing an AI to generate and execute code that performs network operations increases the risk of arbitrary code execution and data exfiltration.
[PROMPT_INJECTION]: The skill provides an attack surface for indirect prompt injection by retrieving Buddhist texts from an external API (fojin.app) and processing them through analysis templates. Malicious instructions embedded in the retrieved texts could attempt to override the agent's behavior or exploit its powerful tool access (Bash, Write, WebFetch).
[COMMAND_EXECUTION]: The skill requests broad permissions in its frontmatter, including Bash, Read, Write, Edit, and WebFetch. This extensive toolset significantly escalates the potential impact of the aforementioned input validation vulnerabilities.

create-master