The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill instructs users to install an unverified third-party Python package medusa-security from PyPI. This package is not from a trusted organization or well-known technology vendor, representing a supply chain risk.
[COMMAND_EXECUTION]: The cli-wrapper.cjs script executes the Medusa CLI via spawnSync. While it correctly uses shell: false to mitigate shell injection, it still facilitates the execution of external binary code on the host system.
[DATA_EXFILTRATION]: The security-review.cjs script is configured to read and scan sensitive framework directories, including .claude/hooks and .claude/lib. These directories may contain the agent's executable logic, hooks, and potentially sensitive environment configuration.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests data from security scan results (SARIF and JSON formats) and interpolates the finding message field directly into a markdown report generated for the agent. If an attacker can influence the content being scanned to produce a specific malicious finding message, they could influence the agent's behavior when it processes the report.
Ingestion points: scripts/sarif-parser.cjs and scripts/json-parser.cjs (via Medusa scan output).
Boundary markers: The findings are formatted into a markdown table in scripts/finding-formatter.cjs.
Capability inventory: spawnSync (Bash), file system read/write via fs module.
Sanitization: Implements basic markdown escaping for table pipe characters (|) but does not sanitize the instructional content of the message.

medusa-security