The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill instructs the agent to read and search through ~/.aws/config and explicitly references ~/.aws/credentials to diagnose authentication issues. Accessing these specific file paths exposes sensitive AWS configuration and potentially long-term access keys to the agent's context.
[EXTERNAL_DOWNLOADS]: The skill directs users and the agent to install the skill-validator-ent CLI tool from a third-party GitHub repository (agent-ecosystem) and a Homebrew tap. This repository is not recognized as a trusted source, presenting a supply-chain risk for an executable binary.
[COMMAND_EXECUTION]: The workflow utilizes shell commands with unvalidated placeholders (e.g., <path>, <profile>, <user's region>). A malicious or confused user could provide inputs containing shell metacharacters that result in arbitrary command execution during verification steps like ls <path>/SKILL.md.
[INDIRECT_PROMPT_INJECTION]: As a tool designed to ingest and analyze external skill files, it is highly susceptible to indirect prompt injection. A malicious skill being reviewed could contain instructions that trick the agent into bypassing validation steps or leaking data during the analysis phase.
Ingestion points: Step 4 instructions require reading the target SKILL.md and reference files into context.
Boundary markers: Absent. The skill does not provide delimiters or instructions to treat the ingested content as untrusted data.
Capability inventory: The skill has access to subprocess execution (skill-validator-ent), file system reads/writes, and AWS authentication status.
Sanitization: Absent. There is no evidence of filtering or escaping logic applied to the content of the files being reviewed.

review-skill