The Agent Skills Directory

Dynamic Execution (MEDIUM): The documentation lists 'run_code' as a built-in tool. Allowing an AI agent to execute arbitrary JavaScript code creates a high-risk path for Remote Code Execution (RCE) if the agent is manipulated via prompt injection to run malicious scripts on the host environment.
Data Exfiltration (MEDIUM): The inclusion of a built-in 'http_request' tool provides a mechanism for the AI to send data to external URLs. This can be abused to exfiltrate sensitive data, such as the API keys configured in the skill's example, to attacker-controlled servers.
Unverifiable Dependencies (MEDIUM): The skill instructs the user to install '@zhin.js/ai'. This package and its organization 'zhinjs' are not in the trusted sources list, requiring verification of the package content and its maintainers before use.
Indirect Prompt Injection (LOW): The skill defines a large attack surface where untrusted user input is processed by an agent with access to dangerous capabilities. * Ingestion points: User messages processed via ai.ask(), ai.chatWithSession(), and agent.run() in SKILL.md. * Boundary markers: Absent; no instructions provided to delimit user input from system instructions. * Capability inventory: run_code, http_request, and search_database. * Sanitization: Absent; the code snippets show direct passing of input to AI services and tools without validation.

zhin-ai-integration