The Agent Skills Directory

[COMMAND_EXECUTION]: Command injection vulnerability in dynamic context placeholders within SKILL.md. The skill uses the !command`` syntax to execute shell commands when the skill is loaded into the agent's context. These commands include the $1 variable, which represents the user-supplied <plugin-name> argument. Because this input is not sanitized, a user could provide shell metacharacters (e.g., ;, &, |) to execute unauthorized commands on the host system. Evidence: !find $1/skills -name "SKILL.md" -maxdepth 3 and !find $1/skills -name "evals.json" -maxdepth 3.
[COMMAND_EXECUTION]: The execution step involves running a local shell script evaluate-plugin/scripts/aggregate_benchmark.sh with the user-controlled <plugin-name> argument. This pattern facilitates command injection if the underlying script performs unsafe evaluation or interpolation of its parameters.
[PROMPT_INJECTION]: Indirect prompt injection attack surface. The skill reads external data from SKILL.md and evals.json files within the target plugin.
Ingestion points: SKILL.md, evals.json in Step 1 and Step 2.
Boundary markers: Absent. Instructions do not define delimiters for external data.
Capability inventory: Bash, SlashCommand, Write, Read, Task, TodoWrite.
Sanitization: Absent. The skill does not validate the content of the ingested files before using them to drive next steps.

evaluate-plugin-batch