The Agent Skills Directory

[COMMAND_EXECUTION]: Execution of vendor-provided scripts. The skill relies on running 'scripts/setup.py' via the shell for administrative brand tasks.
[COMMAND_EXECUTION]: Command injection vulnerability. The process for switching brands takes unverified user input ('BRAND_SLUG') and places it directly into a command-line execution string. An attacker could craft a malicious brand name using shell metacharacters to perform unauthorized system operations.
[COMMAND_EXECUTION]: Lack of input validation and sanitization. The skill instructions do not require the agent to verify the existence of the brand slug or escape special characters before execution, exposing a significant attack surface through untrusted user data.

switch-brand