The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The script scripts/write_outputs.py utilizes importlib.util to dynamically load and execute a Python module from a path calculated at runtime (../../../../shared/scripts/write_run_bundle.py). This technique allows for the execution of code located outside the immediate directory structure of the skill.
[COMMAND_EXECUTION]: The scripts/run_command.py utility is designed to execute arbitrary system commands provided via the --command argument using subprocess.run. Although it employs shlex.split to mitigate basic shell injection, it fundamentally enables the execution of any system command allowed by the agent environment.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it accepts "runnable commands" that are likely derived from untrusted repository content. Malicious instructions embedded in repo files could be treated as valid reproduction commands and executed.
Ingestion points: Untrusted commands are ingested from the target repository environment as described in SKILL.md.
Boundary markers: There are no explicit boundary markers or "ignore" instructions implemented to prevent the agent from following embedded malicious commands in processed data.
Capability inventory: The skill has powerful capabilities, including arbitrary command execution (scripts/run_command.py) and file writing (scripts/write_outputs.py).
Sanitization: While shlex.split is used to parse arguments, the skill lacks a mechanism to validate or sanitize the actual command content against a whitelist of safe operations.

minimal-run-and-audit