The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes a git clone command using a user-provided URL without sufficient sanitization or the use of the -- separator. This allows for argument injection attacks (e.g., using --upload-pack) that can lead to arbitrary code execution.
[REMOTE_CODE_EXECUTION]: In Phase 5 (Validation), the skill runs bun run build:index, bun run validate, and bun test. Because these commands are executed after external files have been cloned and copied into the local repository, a malicious upstream repository could include files (like configuration files or test scripts) that execute arbitrary code during the validation phase.
[PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection because it reads and processes the content of untrusted SKILL.md files from external repositories to perform classification and porting tasks.
Ingestion points: The agent reads all SKILL.md files found in the cloned repository (Phase 1, Step 7).
Boundary markers: There are no specified boundary markers or instructions to the agent to ignore embedded commands within the processed files.
Capability inventory: The skill possesses extensive capabilities including network operations (git clone), filesystem write access (catalog/skills/), and shell command execution (bun test, rm -rf).
Sanitization: No sanitization or validation of the external markdown or frontmatter is performed before it is analyzed or integrated into the local catalog.

catalog-porter