The Agent Skills Directory

[COMMAND_EXECUTION]: The skill documentation in 'SKILL.md' and 'references/sg-patterns.md' directs the agent to use the 'Bash' tool to run 'ast-grep' ('sg') commands. It provides templates that incorporate user-provided variables such as '$PATTERN' and '$SCOPE_INPUT'. Constructing shell commands from potentially untrusted input is a known attack vector for command injection. While the skill includes guidelines for the agent to validate these parameters, this reliance on model instruction does not constitute a hard security boundary.
[COMMAND_EXECUTION]: The skill supports the use of 'sg --rewrite' with the '-U' flag to perform structural codemods. This capability allows the agent to execute mass, automated modifications to source code files across the repository via the shell, which is a high-impact operation.
[EXTERNAL_DOWNLOADS]: The documentation outlines the installation of the 'tilth' MCP server using the command 'tilth install '. This involves the download and execution of software components from an external source to establish the necessary tool environment.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it searches and retrieves content from a local codebase, which is considered untrusted data. Ingestion points: Untrusted content enters the agent context through 'tilth_search' and 'tilth_deps' tool outputs. Boundary markers: The instructions do not specify the use of clear delimiters or unique markers to isolate the retrieved code snippets from the agent's core system prompt. Capability inventory: The skill has access to the 'Bash' tool, allowing for shell command execution and mass file modification. Sanitization: There are no explicit instructions to sanitize or escape the content retrieved from the file system before presenting it to the model, creating a risk that malicious comments or code within the searched repository could influence the agent's behavior.

cheez-search