The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill facilitates downloading content from external sources such as npm and GitHub.
Evidence: The use of bunx skills downloads and executes a package from npm. Commands like bunx skills add <package-or-url> fetch content from remote URLs such as https://github.com/sjunepark/custom-skills and vercel-labs/skills.
[COMMAND_EXECUTION]: The skill relies on shell command execution to perform its primary tasks.
Evidence: Frequent use of the bunx utility to run commands like list, check, update, and remove for managing the skill ecosystem.
[REMOTE_CODE_EXECUTION]: The skill is designed to install and manage "skills," which are explicitly defined in the documentation as executable instructions.
Evidence: Automated installation from remote URLs (bunx skills add <url>) can lead to the deployment and subsequent execution of untrusted logic or instructions within the agent's context. The skill explicitly warns users to "Treat installed skills as executable instructions; avoid untrusted sources."
[PROMPT_INJECTION]: This skill provides a significant attack surface for indirect prompt injection by design.
Ingestion points: External GitHub repositories and local paths specified via the add command.
Boundary markers: There are no explicit delimiters or "ignore embedded instructions" warnings described to isolate the agent from the instructions being downloaded.
Capability inventory: The agent has the ability to execute shell commands, perform network operations, and modify files in sensitive user directories like ~/.claude/skills and ~/.pi/agent/skills.
Sanitization: No evidence of validation, sanitization, or content filtering for the downloaded instructions is provided before they are installed and active.

skills-cli