The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill possesses a high-risk attack surface for indirect prompt injection because it ingests untrusted external content and influences agent decisions (fixing/editing files).
Ingestion points: The scripts/check_markdown.py script reads the entire content of a user-provided file via Path(filepath).read_text(encoding='utf-8').
Boundary markers: Absent. There are no delimiters or instructions to the agent to ignore embedded commands within the markdown file.
Capability inventory: The skill uses scripts/check_markdown.py to read files and output reports. Additionally, SKILL.md explicitly instructs the agent to use Read and Edit tools to process and modify files based on the content.
Sanitization: Absent. The content is processed directly by regular expressions and presented to the agent's context without filtering or escaping.
[Data Exposure] (HIGH): The script scripts/check_markdown.py accepts a file path as a command-line argument and reads its content using pathlib.Path.read_text(). It fails to implement path validation or sandboxing, which allows an attacker to trick the agent into reading sensitive files (e.g., ~/.bashrc, ~/.aws/credentials) and outputting their contents into the agent's conversation history.
[Command Execution] (LOW): While the skill uses subprocess-style execution (python3 scripts/check_markdown.py), the execution path is internal to the skill; however, the lack of input validation on the file path argument elevates the overall risk profile.

markdown-checker