The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The 'CLI-Anything' autodiscovery pattern instructs the agent to execute TOOL --help on tools identified within external repositories. If a benchmarked repository contains a malicious binary or script masquerading as a tool, the agent will execute it during the discovery phase.
[COMMAND_EXECUTION]: The skill uses shell-based pipelines to parse tool help outputs and generate wrappers. Maliciously crafted output from an external tool (e.g., containing shell metacharacters like backticks or pipes) could result in command injection when the agent processes this data using node -e or shell pipes.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from external Git repositories and web sources.
Ingestion points: Files within externals/<repo-name>/ and content retrieved via WebFetch.
Boundary markers: Absent. The skill does not define delimiters or provide instructions to ignore malicious directives embedded in the analyzed codebases.
Capability inventory: Bash, Write, Edit, WebFetch, Glob, Grep provide a large attack surface for an injected instruction to exploit.
Sanitization: Absent. The workflow extracts features and gaps directly from external evidence without validation.
[DATA_EXFILTRATION]: Using the WebFetch and Bash tools, the agent could be manipulated via indirect prompt injection to read sensitive local configuration files (e.g., .env, .aws/credentials) and transmit them to an external server under the guise of benchmarking.
[COMMAND_EXECUTION]: The 'Multi-Platform CLI Generation' workflow generates build and configuration files (package.json, pyproject.toml, etc.) based on data assimilated from external sources. Malicious input during this phase could lead to the creation of poisoned packages or wrappers that execute code when installed or run.

assimilate