The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes a shell pipeline that takes raw data extracted from a downloaded image and passes it as an argument to less via xargs.
Evidence: The command strings /tmp/image.png | grep -o "License:.*" | cut -d':' -f2 | xargs less --squeeze-blank-lines | cat in SKILL.md.
Risk: An attacker controlling the remote image repository (or a contributor to it) can craft an image where the License: metadata string contains malicious flags for the less command. This could lead to arbitrary file reads (e.g., using --open-file) or potential command execution depending on the shell environment and less version.
[COMMAND_EXECUTION]: The security validation logic meant to prevent directory traversal is fundamentally flawed.
Evidence: if [[ "$(strings /tmp/image.png | ... | realpath)" != "$(pwd)" ]]; then echo "License file path is unsafe! aborting."; exit 1; fi in SKILL.md.
Risk: The script attempts to verify that the extracted license name resolves to the current directory (licenses/). However, the realpath of any valid file inside that directory will never be equal to the directory's path itself. This logic error ensures the check either always fails for valid files or can be bypassed by an attacker providing a path that resolves exactly to the directory (e.g., .), which then causes less to be executed on the directory contents.
[EXTERNAL_DOWNLOADS]: The skill downloads a catalog and binary image files from a remote GitHub repository at runtime.
Evidence: curl -s "https://raw.githubusercontent.com/noah-lowery/free-use-images/main/index.json" and curl -s "https://raw.githubusercontent.com/noah-lowery/free-use-images/main/images/$image_name" in SKILL.md.
Risk: While the repository is owned by the skill author, the trust is misplaced because the content of these remote files is used to drive the aforementioned unsafe shell operations.

openlicense-images