The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/gate_validate.py implements a rule engine that executes arbitrary shell commands. The run_command_rule function extracts a command string from a YAML configuration file and executes it using subprocess.run(["bash", "-lc", command]). Because the validate operation allows the agent to specify the path to this rules file, an attacker can achieve arbitrary command execution by providing a malicious configuration file.
[COMMAND_EXECUTION]: The run_eda_contract_rule function in scripts/gate_validate.py allows the user to specify a script path within the gate configuration which is then executed via python3. This allows for arbitrary script execution if the configuration file is controlled by an attacker.
[COMMAND_EXECUTION]: The shell scripts scripts/check_registry.sh and scripts/validate_exp.sh are vulnerable to Python code injection. They interpolate the $EXP_NAME shell variable directly into a Python command string passed to python3 -c. A crafted experiment name containing quotes and Python code (e.g., '); import os; os.system('...) can execute arbitrary logic within the Python interpreter.
[COMMAND_EXECUTION]: The validate operation in SKILL.md and SKILL.spec.yaml accepts a rules parameter of type path. Since the content of the file at this path dictates the commands executed by the host system, this input represents a high-risk vector for host compromise if the agent is directed to process an untrusted file.

skill-system-gate