The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill is designed to fetch directory contents and files from arbitrary GitHub repositories using the githubGetFileContent tool.
[REMOTE_CODE_EXECUTION]: The workflow automates the installation of untrusted external content (agent skills) from GitHub into local execution environments such as ~/.claude/skills/, ~/.cursor/skills/, and ~/.codex/skills/. Since agent skills contain instructions and potential scripts that the agent executes, this facilitates persistent remote code execution if a malicious repository is selected during the search process.
[COMMAND_EXECUTION]: The skill uses shell commands, specifically cp -r and ls, to move downloaded content into sensitive system paths and verify installation. This provides a mechanism for local file manipulation based on external data.
[DATA_EXFILTRATION]: The skill targets and accesses sensitive hidden directories in the user's home folder (~/.claude/, ~/.claude-desktop/, etc.) where agent configurations, history, and existing skills are stored. This exposes the agent's local security posture to external content during the preview and install phases.
[INDIRECT_PROMPT_INJECTION]:
Ingestion points: Untrusted data enters the agent context through GitHub code search results and file content fetches via the Octocode MCP.
Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are used when the agent processes or previews the fetched SKILL.md files.
Capability inventory: The agent has the capability to perform shell operations (cp, ls), directory downloads, and network requests via GitHub APIs.
Sanitization: Verification is limited to checking for basic metadata (YAML frontmatter) and the existence of a SKILL.md file, which does not prevent malicious instructions within that file from being interpreted by the agent.

octocode-search-skill