The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The generator script scripts/generate.sh is vulnerable to shell command injection. Multiple functions, including generate_cli_script, generate_skill_script, generate_agent_script, and generate_tutorial_script, use unquoted heredocs (e.g., << SCRIPT_HEADER, << TITLE, << ACTIVATION) to write shell scripts to disk. Variables containing user-supplied command arguments or data extracted from project files (such as DEMO_NAME and DEMO_DESCRIPTION) are expanded by the shell during this process. If these inputs contain shell metacharacters like backticks or $(), arbitrary commands will be executed on the host system during the generation phase.
[COMMAND_EXECUTION]: The skill's primary functionality relies on dynamic code generation and execution. It programmatically creates bash scripts (scripts/demo-*.sh) and VHS tape files, makes the scripts executable using chmod +x, and executes them. This architecture provides a direct path for executing dynamically constructed logic on the user's machine.
[EXTERNAL_DOWNLOADS]: The skill implementation and documentation reference several external tools and frameworks that must be present or are invoked at runtime. These include vhs, asciinema, and manim (Python), as well as the remotion framework which is executed via npx in the full-pipeline.sh script.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it extracts metadata, such as names and descriptions, from external SKILL.md, agent.md, and plugin.json files and incorporates them into its execution logic without sanitization. An attacker controlling these files could inject malicious content into the produced demo scripts or influence the generator's behavior. Evidence includes ingestion points in extract_skill_metadata and extract_agent_metadata within scripts/generate.sh, and the lack of sanitization when interpolating these values into heredocs.

demo-producer