The Agent Skills Directory

[COMMAND_EXECUTION]: The update-append command utilizes typer.edit() to open a system editor. The documentation explicitly notes that the EDITOR or VISUAL environment variables can be set to scripts for programmatic interaction. This capability allows for arbitrary command execution if an agent or attacker can influence the environment variables used during the script's execution.
[COMMAND_EXECUTION]: The commands fetch-github <owner/repo> and set-description <topic> "<description>" accept arbitrary strings as input. If the underlying Python script (research/knowledge-explorer.py) processes these inputs using shell execution (e.g., os.system or subprocess.run(..., shell=True)), it may be vulnerable to command injection attacks.
[EXTERNAL_DOWNLOADS]: The fetch-github command fetches data (READMEs, metadata, and directory listings) from GitHub repositories. While GitHub is a trusted platform, the content fetched is user-generated and untrusted. This creates a surface for indirect prompt injection where malicious instructions in a README could influence the agent's behavior during the add or set-description phases of the workflow.
[DATA_EXFILTRATION]: The skill relies on an authenticated GitHub CLI (gh) session. This grants the script access to the user's GitHub tokens and private repository data. Unvalidated input passed to gh api calls via the fetch-github command could be used to attempt unauthorized data access or exfiltration of sensitive repository information.

knowledge-explorer