The Agent Skills Directory

[COMMAND_EXECUTION]: The calc tool example in the Using Tools with aiChat() section uses the evaluate(expr) function where expr is a string provided by the AI. In BoxLang and similar environments, evaluate() is not restricted to mathematical operations and can execute arbitrary code, creating a path for an attacker to run system commands if the AI is manipulated via prompt injection.- [REMOTE_CODE_EXECUTION]: By recommending the use of evaluate() on external strings (AI tool arguments), the documentation promotes an unsafe pattern where code generation and execution are performed on untrusted input.- [DATA_EXFILTRATION]: The skill includes examples for tools like get_users and send_email. While these are legitimate use cases for administrative agents, they represent a significant attack surface for data exposure or exfiltration if the agent's instructions are bypassed.

bx-ai-tools