The Agent Skills Directory

[COMMAND_EXECUTION]: The skill constructs shell commands using placeholders like <package-name> and <code> that are replaced by user input. This pattern is vulnerable to command injection if the user provides malicious strings containing shell metacharacters. Evidence: npm view <package-name>@0.0.0 version and npm publish --otp <code> in SKILL.md.\n- [DYNAMIC_EXECUTION]: The skill dynamically generates a package.json file using user-provided strings. Maliciously crafted input could escape the JSON structure to inject arbitrary package configuration, such as install scripts. Evidence: cat > package.json heredoc block in SKILL.md.\n- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted user data to drive agent actions without sufficient boundaries or sanitization.\n
Ingestion points: User-supplied package name, repo directory, and OTP code in SKILL.md.\n
Boundary markers: Absent; placeholders are interpolated directly into shell strings and file templates.\n
Capability inventory: Shell command execution via npm, mktemp, cat, and rm.\n
Sanitization: None; no validation or escaping is applied to user inputs before shell execution or file generation.

publish-placeholder-package