The Agent Skills Directory

[PRIVILEGE_ESCALATION]: The skill instructions direct the agent to use the Read tool to access files located in parent directories (../../agents/*.md). This use of relative paths to traverse outside the skill's own directory structure allows access to files in the broader system environment, which may contain sensitive configurations or instructions.
[DYNAMIC_EXECUTION]: In its 'Inline Mode', the skill instructs the agent to assemble and execute shell commands via the Bash tool (e.g., agent-browser open <url>). The URLs are constructed by interpolating user-supplied variables such as {crate_name} and {path}. This pattern creates a high risk of command injection if the agent fails to sanitize these inputs before executing the resulting shell command.
[INDIRECT_PROMPT_INJECTION]: The skill fetches and processes content from various external Rust community websites (such as lib.rs and crates.io) to provide documentation and version information. This untrusted data is integrated into the agent's context without boundary markers or sanitization, presenting an attack surface for indirect prompt injection.
Ingestion points: Documentation and metadata fetched from lib.rs, crates.io, docs.rs, and rust-lang.org.
Boundary markers: None are specified in the output formatting instructions to delimit external content.
Capability inventory: The agent has access to Bash (shell execution), Task (sub-agent creation), and Read (file system access).
Sanitization: There are no instructions provided for the validation or escaping of the fetched external content.

rust-learner