The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill documentation includes multiple instances of a 'curl | bash' pattern, instructing users to pipe a remote script from an untrusted GitHub repository directly into a shell. This allows the remote server to execute arbitrary code on the user's machine.
Evidence: bash <(curl -fsSL https://raw.githubusercontent.com/StartupHakk/OpenMonoAgent.ai/refs/heads/main/get-openmono.sh) in SKILL.md.
[COMMAND_EXECUTION]: The skill provides the agent with run_command capabilities and documents the use of sudo for administrative tasks such as modifying user groups (usermod -aG docker) and configuring firewalls (ufw allow 8080/tcp). While presented as troubleshooting, these instructions encourage privilege escalation.
[DATA_EXFILTRATION]: The skill describes a 'Dual-box' mode and a 'relay' service that connects to app.openmonoagent.ai. It also includes programmatic examples of custom tools (fetch_api_data) that use HttpClient to send data to external endpoints, which could be abused to exfiltrate local files or environment secrets accessed via the agent's file-reading tools.
[PROMPT_INJECTION]: The skill represents an indirect prompt injection surface as it is designed to ingest and process untrusted project data (source code, documentation, playbooks) while possessing dangerous capabilities like shell command execution and file writing.
Ingestion points: Processes project-level files and YAML playbooks (e.g., refactor-api.yml).
Boundary markers: No specific boundary markers or 'ignore' instructions are visible in the sub-agent system prompts to prevent embedded instructions from hijacking the agent loop.
Capability inventory: Includes run_command, write_file, and network operations via tools and sub-agents.
Sanitization: The skill mentions a 12-step tool pipeline for path sanity and schema validation, but these do not prevent high-level prompt injection attacks.

openmonoagent-local-ai-coding-agent