The Agent Skills Directory

[DATA_EXFILTRATION]: The /kb open and /kb search subcommands are vulnerable to path traversal. The skill constructs file paths using user-provided project names and queries without sufficient validation. An attacker could potentially use ../ sequences to read sensitive files outside of the intended knowledge base directory.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes user-generated markdown files that may contain malicious instructions.
Ingestion points: Knowledge base entries are read into the agent session context via the /kb open command and displayed as content previews in the /kb search command.
Boundary markers: No delimiters or safety instructions are used to separate the knowledge base content from the system prompt, increasing the risk that the agent will follow instructions embedded in the files.
Capability inventory: The skill possesses extensive capabilities, including executing shell commands (git, grep, sed), writing files, and copying files across the filesystem.
Sanitization: No sanitization, escaping, or validation is performed on the content read from the knowledge base files before it is processed by the agent.
[COMMAND_EXECUTION]: The skill frequently executes shell commands and system tools like git, grep, and sed through os.popen and subprocess.run. These operations use variables derived from the local environment and user input, which can be risky if the environment or inputs are manipulated.
[REMOTE_CODE_EXECUTION]: The skill implements its logic by dynamically generating Python scripts using string templates and heredocs, which are then executed at runtime. This pattern of script generation and execution increases the attack surface, especially when user-supplied strings like titles, descriptions, and slugs are interpolated into the code.

kb