The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The scripts/scan.sh script executes npm install and pip3 install -r requirements.txt within a directory containing code cloned from a user-provided repository URL. This enables an attacker-controlled repository to execute arbitrary code on the host machine through preinstall or postinstall scripts in package.json, or via malicious packages in requirements.txt.
[COMMAND_EXECUTION]: Several scripts are vulnerable to command injection. In scripts/scan.sh and scripts/triage.sh, Python commands are constructed using string interpolation of variables like $REPO_NAME or $JSON_FILE (e.g., python3 -c "... open('$OUTPUT_DIR/${REPO_NAME}-slither.json') ..."). If these variables contain single quotes or other shell metacharacters derived from a malicious repository name or file path, it can lead to arbitrary code execution within the Python process.
[EXTERNAL_DOWNLOADS]: The skill performs git clone on arbitrary URLs provided by the user. It then proceeds to install dependencies found within those repositories using npm and pip3 without validation of the source or the packages themselves.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection in scripts/triage.sh.
Ingestion points: Data is ingested by cloning an external repository in scripts/scan.sh and reading the resulting Slither JSON output in scripts/triage.sh.
Boundary markers: None are present in the prompt construction used for local LLM triage.
Capability inventory: The skill has capabilities for shell execution (bash, git, npm, pip), local file system access, and local network communication via curl to a local Ollama instance.
Sanitization: There is no sanitization or escaping of the finding descriptions extracted from the untrusted source code before they are interpolated into the prompt sent to the LLM. An attacker could embed malicious instructions in a smart contract comment that Slither includes in its report, potentially manipulating the triage results.

bounty-hunter