The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to execute a shell command that incorporates user-provided content.
Evidence: In SKILL.md, the instruction python scripts/generate_schematic.py "your diagram description" -o figures/output.png specifies running a Python script with a string from the text.
Risk: This represents an indirect prompt injection surface where untrusted data (the diagram description) enters the shell execution context. If the input contains shell metacharacters and the execution environment does not sanitize them, it could lead to arbitrary command execution.
Ingestion points: Diagram descriptions provided in the natural language text processed by the skill.
Capability inventory: The skill explicitly allows the Bash tool in its metadata.
Boundary markers: The input is enclosed in double quotes in the example, but there are no instructions to the agent to sanitize or escape the content.
Sanitization: None present in the instructions.
[REMOTE_CODE_EXECUTION]: The skill relies on an external script that is not provided in the audited file list.
Evidence: SKILL.md references scripts/generate_schematic.py, but this file is missing from the skill directory.
Risk: Executing unverified local scripts that are not part of the skill package introduces a supply chain risk, as the script's behavior cannot be audited and its origin is unverifiable within the context of this skill.
[PROMPT_INJECTION]: There is a discrepancy in the author information which may indicate deceptive metadata.
Evidence: The YAML frontmatter in SKILL.md identifies the author as 'K-Dense Inc.', whereas the provided skill context identifies the author as 'foryourhealth111-pixel'.
Risk: Misleading metadata can be used to bypass trust-based filtering or to misrepresent the provenance of the skill's instructions.

scientific-critical-thinking