The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/run_command.py uses subprocess.run to execute arbitrary commands provided via the --command CLI argument. While it utilizes shlex.split to avoid simple shell injection, it effectively serves as a wrapper for arbitrary command execution on the host system.
[DYNAMIC_EXECUTION]: The script scripts/write_outputs.py uses importlib to dynamically load and execute a module from a path computed at runtime (../../../shared/scripts/write_run_bundle.py). Loading executable code from outside the skill's own package boundaries using relative paths increases the risk of executing untrusted code if the surrounding filesystem environment is not strictly controlled.
[INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from the output of executed commands, creating a potential attack surface. 1. Ingestion points: The stdout and stderr streams of the executed commands are captured and logged in scripts/run_command.py. 2. Boundary markers: None are present to delimit untrusted output from instructions. 3. Capability inventory: The skill possesses the capability to run arbitrary subprocesses and perform git operations. 4. Sanitization: No sanitization or filtering of the captured output is performed before it is processed or logged.

minimal-run-and-audit