The Agent Skills Directory

[COMMAND_EXECUTION]: The resolveConfigValue function in search.mjs uses execSync to run shell commands whenever a configuration value (such as a key in auth.json) begins with an exclamation mark (!). This feature, intended to allow secret retrieval from vaults or CLI tools, permits arbitrary command execution if an attacker can influence the contents of the local configuration.
[REMOTE_CODE_EXECUTION]: The script performs dynamic loading of the @mariozechner/pi-ai module using import() on computed paths. The collectModuleCandidates function searches for this module in several locations, including the current working directory (cwd) and its parents, which could lead to the execution of malicious code if the skill is run within a directory containing a crafted node_modules structure.
[CREDENTIALS_UNSAFE]: The skill reads and writes sensitive authentication data, including API keys and OAuth tokens, to a local file at ~/.pi/agent/auth.json.
[DATA_EXFILTRATION]: The script transmits authentication credentials and query data to the official API endpoints of OpenAI (chatgpt.com) and Anthropic (api.anthropic.com) to perform search tasks.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted search results from external models and prints them to the console without sanitization or boundary markers. Since the script also has the ability to write to configuration files and execute shell commands, malicious content in search results could potentially influence the agent to perform unsafe operations.
Ingestion points: runCodexSearch and runAnthropicSearch functions in search.mjs ingest data retrieved from external web searches.
Boundary markers: Absent around the model output displayed to the agent.
Capability inventory: Shell command execution (execSync), local file system writes (writeFileSync), and network operations (fetch).
Sanitization: No validation, escaping, or filtering is applied to the retrieved search content before display.

native-web-search