The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the $ARGUMENTS variable, which contains user-provided component names, directly inside shell commands. A malicious user could provide input containing shell metacharacters (e.g., ;, &&, |) to execute arbitrary commands on the host system.
Evidence: In Phase 1, the command find libs/... -name "<component>" uses the user input directly.
Evidence: In Phase 3, the command grep -rn '<fd-<component>|fd-<component> ' libs also interpolates the user input directly into a shell execution context.
[PROMPT_INJECTION]: The skill processes user-supplied input ($ARGUMENTS) to drive its logic without sufficient boundary markers or instructions to ignore embedded instructions within the component names. This creates a surface for both direct and indirect prompt injection.
[DATA_EXFILTRATION]: While the skill primarily interacts with a local repository and a style-guide MCP server, the lack of sanitization in shell commands (noted above) could be leveraged to exfiltrate sensitive files (like .env or SSH keys) if a command injection is successful.
[COMMAND_EXECUTION]: The skill performs file system modifications and executes build/test commands (nx run, yarn format) in Phase 4 based on a plan generated from potentially manipulated input. If the 'Discover' phase is subverted via injection, the 'Execute' phase will carry out unauthorized file writes and command executions.

adopt-styles