The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill implements an automated testing feature designed to verify README code examples. The 'knowledge/application/script-executor.md' file specifies that commands classified as 'Safe' (e.g., --help, --version) or 'Read-Only' (e.g., cat, grep, ls) are auto-executed without user confirmation. This behavior can be exploited by an attacker who places malicious commands or script aliases within a repository that the user is analyzing.
[COMMAND_EXECUTION]: The skill frequently uses the 'Bash' tool to execute instructions extracted from the codebase. It classifies commands into risk levels, but the automated nature of certain executions poses a risk if the input source is untrusted.
[DATA_EXFILTRATION]: The skill performs codebase scanning for sensitive information, including environment variables and configuration files ('knowledge/foundation/codebase-scanner.md'). Because the skill also has the capability to perform external network requests via 'WebFetch' ('knowledge/foundation/validation-checklist.md'), there is a risk that sensitive local data could be exfiltrated to an external server if the agent is tricked by malicious instructions in the project files.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted project data and acts upon instructions found within that data.
Ingestion points: Codebase files and existing READMEs are ingested via Read, Glob, and Grep tools ('knowledge/foundation/codebase-scanner.md').
Boundary markers: The skill lacks explicit boundary markers or instructions to ignore instructions embedded within the untrusted project files.
Capability inventory: The skill has access to shell execution (Bash), network access (WebFetch), and filesystem access (Read/Write/Glob).
Sanitization: Sanitization is limited to a rule-based risk classification of commands, which does not account for aliases or malicious scripts named after 'safe' commands.

readme-expert