The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill instructs the user to clone a repository from an unverified GitHub user (github.com/elzobrito/ESAA-Security.git) which is not identified as a trusted vendor.\n- [REMOTE_CODE_EXECUTION]: The installation process involves cloning a remote repository and installing dependencies via pip install, followed by the execution of Python scripts from that repository. This allows for the execution of arbitrary remote code from an untrusted source.\n- [DATA_EXFILTRATION]: The skill requires sensitive LLM API keys to be set as environment variables (OPENAI_API_KEY, ANTHROPIC_API_KEY). Because the skill executes unverified code from an external source, there is a significant risk that these credentials could be exfiltrated.\n- [COMMAND_EXECUTION]: The documentation provides examples of shell commands for setup and execution (e.g., git clone, pip install, python orchestrator.py) which facilitate the operation of code originating from an untrusted source.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from an external repository. 1. Ingestion points: Source code files read from the path defined in AUDIT_TARGET_REPO. 2. Boundary markers: The skill mentions using schema-validated outputs and AGENT_CONTRACT.yaml for governance. 3. Capability inventory: The agent has permissions to read various file types (**/*.py, **/*.js, etc.) and write findings to the reports directory. 4. Sanitization: While the skill mentions hallucination prevention, it lacks explicit details on the sanitization or escaping of ingested code content before processing by the LLM.

esaa-security-audit