The Agent Skills Directory

[COMMAND_EXECUTION]: The skill makes extensive use of shell_exec to run local Python scripts (scripts/init_crew.py, scripts/tools.py). While these are used for the skill's intended purpose of initializing agent configurations and querying tools, executing shell commands with arguments derived from user input or project state carries an inherent risk of command injection if parameters are not strictly validated.
[DATA_EXFILTRATION]: The utility script scripts/copy_skill_to_workspace.py is vulnerable to path traversal. The script joins the user-provided skill_name argument directly to a base path (agents_dir / "skills" / args.skill_name). An attacker could potentially use directory traversal sequences (e.g., ../../) to point the source to unauthorized directories. Although the script attempts to mitigate this by checking for the existence of a SKILL.md file in the source directory, this check could be bypassed in environments where such files exist in other locations, potentially allowing sensitive directories to be copied into the publicly accessible workspace.
[PROMPT_INJECTION]: The skill exhibits an Indirect Prompt Injection surface within its 'Employee Initialization Flow'. It collects free-text input from the user regarding the agent's name, role, instructions, and personality, and writes this data directly into the core definition files (IDENTITY.md, AGENTS.md, SOUL.md).
Ingestion points: User input collected during Round 1, 2, and 3 of the initialization flow (documented in SKILL.md).
Boundary markers: None are implemented in the init_crew.py script; user input is written directly into Markdown and YAML fields.
Capability inventory: The skill has access to powerful tools including shell_exec, write_file, and a broad list of utilities referenced in available-tools.md.
Sanitization: No sanitization or validation of the user-provided content is performed before it is written to the instruction files that govern the agent's behavior.

crew-creator