The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes a run_command tool that allows the agent to execute arbitrary shell commands. While the documentation provides an example of a blocklist to prevent dangerous operations (e.g., sudo, rm -rf /), this remains a high-privilege capability that could be misused if the blocklist is not comprehensively configured.
[REMOTE_CODE_EXECUTION]: The agent includes an install_skill tool designed to download and execute logic from 'community skills.' These external dependencies are unverified and represent a remote code execution vector if malicious skills are selected or if the source repository is compromised.
[COMMAND_EXECUTION]: The mercury service install command establishes persistence across system reboots by creating background daemons (systemd services on Linux, LaunchAgents on macOS, and Scheduled Tasks on Windows). This grants the agent long-term autonomous access to the host environment.
[EXTERNAL_DOWNLOADS]: The deployment process involves downloading the agent package from the NPM registry (@cosmicstack/mercury-agent) and potentially other system tools such as the GitHub CLI (gh) via brew or apt.
[DATA_EXFILTRATION]: The framework has tools for network access (fetch_url) and messaging (send_message via Telegram). When combined with the agent's ability to read local files (e.g., ~/.mercury/.env containing API keys), this creates a potential path for data exfiltration.
[CREDENTIALS_UNSAFE]: The skill instructions explicitly direct the user to store sensitive LLM provider API keys and Telegram bot tokens in a plaintext .env file located at ~/.mercury/.env.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It is designed to ingest and process untrusted data from external sources, such as Telegram messages and GitHub pull request diffs, which can then influence the agent's actions through its broad set of filesystem and shell tools.

mercury-agent-deployment