The Agent Skills Directory

[COMMAND_EXECUTION]: The implementation patterns in references/infrastructure-patterns.md and scripts/sandbox_manager.py exhibit command injection vulnerabilities. User-controlled data, such as user_identity["name"], user_identity["email"], and repo_url, is directly interpolated into shell commands via os.system() and sandbox.execute_command(). For example, a malicious user name or email could be crafted to execute arbitrary shell commands within the sandbox environment during git configuration.
[DATA_EXFILTRATION]: The architecture is designed to manage sensitive credentials, including GitHub App tokens for repository access and user OAuth tokens for PR creation. Due to the command injection vulnerabilities, these secrets are at risk of being exfiltrated if an attacker successfully injects malicious commands into the sandbox lifecycle.
[EXTERNAL_DOWNLOADS]: The skill facilitates downloading and executing code from arbitrary external GitHub repositories. While this is the intended functionality for a hosted coding agent, it necessitates strict isolation and validation of the downloaded content, which is not fully addressed in the provided insecure code patterns.
[PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by processing untrusted user data without sufficient safeguards.
Ingestion points: Untrusted data enters via user messages in the Slack integration (classify_repository) and via prompt strings in the sandbox execution methods (execute_prompt).
Boundary markers: The provided code examples lack boundary markers or explicit instructions to treat user-supplied strings as data rather than instructions.
Capability inventory: The sandboxed environment has broad capabilities, including file system access (reading source code), network access (cloning repositories), and shell execution (os.system).
Sanitization: There is no evidence of sanitization or validation of the user-provided inputs before they are interpolated into prompts or shell commands.

hosted-agents