The Agent Skills Directory

[COMMAND_EXECUTION]: The skill constructs and executes shell commands in steps-c/step-05-validate.md (npx skill-check) and steps-c/step-06-write.md (python3 ... skf-atomic-write.py). These commands incorporate variables like {skill_package} and {version} which are derived directly from user-supplied GitHub URLs or package names. The instructions do not mandate sanitization of these variables, creating a risk of command injection if the input contains shell metacharacters (e.g., ;, &, |).
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted data to generate instructions. Ingestion points: In steps-c/step-03-quick-extract.md, the skill reads README.md files, manifest files, and source code from arbitrary external GitHub repositories. Boundary markers: The generated content is placed into a structured template defined in assets/skill-template.md. Capability inventory: The skill possesses the ability to write to the local file system and execute shell commands via npx and python3. Sanitization: While the instructions suggest formatting rules (third-person voice, 1024-character limit), they lack explicit requirements to sanitize or escape the extracted content before it is placed in the generated SKILL.md. This could allow an attacker to embed malicious instructions in a repository's documentation that are then included in the final document and executed by other agents.
[EXTERNAL_DOWNLOADS]: The skill interacts with external services to resolve and fetch repository data. It queries the npm, PyPI, and crates.io registries and uses the GitHub API and web browsing to retrieve source files. It also utilizes npx to execute the skill-check utility, which may involve downloading the package from the npm registry. These actions are aligned with the skill's primary function and target well-known, established services.

skf-quick-skill