The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The MCP adapter in adapters/mcp.py uses the stdio_client to spawn local processes based on the command and args fields in config/agents.yaml. While this is standard for the Model Context Protocol, it allows the execution of any local executable (e.g., npx, bash, python) with arbitrary arguments, effectively providing a Remote Code Execution (RCE) primitive if the configuration is manipulated or if the agent is tricked into adding a malicious agent entry.
[REMOTE_CODE_EXECUTION] (HIGH): Multiple adapters (anp.py, a2a.py, lmos.py) fetch structured metadata (Agent Descriptions, Agent Cards, or Registry JSON) from external URLs provided in the config. These remote files define the 'methods' and 'capabilities' the agent can call. A malicious remote endpoint can provide crafted tool descriptions to perform Indirect Prompt Injection, forcing the agent to execute dangerous operations or exfiltrate data under the guise of 'calling an agent method'.
[EXTERNAL_DOWNLOADS] (MEDIUM): The setup.sh script automatically installs the anp package via pip3. This package is not on the trusted repository list and represents an unverifiable dependency that is granted full environment access upon installation.
[DATA_EXFILTRATION] (MEDIUM): The skill utilizes aiohttp to communicate with arbitrary endpoints across all protocols. In combination with its capability to read local files (via the filesystem MCP server shown in examples), this provides a clear pathway for data exfiltration if the agent is compromised.

uni-agent