The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill provides instructions in SKILL.md and references/testing-flow.md to download and execute an installation script from an untrusted third-party source using the pattern curl -fsSL https://raw.githubusercontent.com/philschmid/mcp-cli/main/install.sh | bash. This bypasses package manager verification and allows arbitrary code execution from a personal repository.
[COMMAND_EXECUTION]: The skill documentation describes the execution of various system commands, including the mcp-cli tool, bun for running local TypeScript source code (bun run src/index.ts), and jq for parsing output. These operations allow the agent to perform extensive local system actions.
[CREDENTIALS_UNSAFE]: In references/configuration-and-arguments.md, the documentation explicitly recommends that users 'hardcode secrets directly in the config' during testing phases. This is a significant security risk that can lead to the accidental exposure of sensitive API keys or credentials in local files or version control.
[PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by processing external data from MCP tool outputs without sufficient validation. \n
Ingestion points: Data enters the agent context through the stdout of mcp-cli call as shown in SKILL.md and references/testing-flow.md. \n
Boundary markers: Absent; there are no specific instructions for the agent to treat tool output as untrusted or to ignore embedded instructions. \n
Capability inventory: The skill possesses capabilities for subprocess execution via mcp-cli and bun, as well as network interaction through the MCP protocol. \n
Sanitization: While the skill suggests using jq for structured data parsing, this does not prevent the interpretation of malicious natural language instructions contained within the JSON fields.

test-mcp-by-cli