The Agent Skills Directory

[Remote Code Execution / External Downloads] (HIGH): The skill includes a Python script (scripts/install_cli.py) that downloads a binary executable from github.com/langgenius/dify-plugin-daemon. The script automatically grants execution permissions and runs the binary via subprocess.run. Because the repository belongs to an organization not on the pre-approved trusted list, this represents a high-severity RCE risk.
[Privilege Escalation] (MEDIUM): The scripts/install_cli.py script uses os.chmod to make the downloaded binary executable. Granting execution privileges to untrusted external binaries is a significant privilege modification on the local system.
[Permission Bypass] (MEDIUM): The skill.json metadata declares restricted network access to only docs.dify.ai. However, the helper scripts perform unauthorized network operations against api.github.com and github.com to retrieve version info and binary assets.
[Indirect Prompt Injection] (LOW): The skill fetches remote markdown documentation from docs.dify.ai using scripts/fetch_doc.sh to guide the agent's development workflow. This creates a surface where malicious instructions could be injected if the documentation site were compromised.
Ingestion points: Documentation content fetched from docs.dify.ai into the agent's execution context.
Boundary markers: None detected; external content is treated as authoritative guide data.
Capability inventory: The skill possesses capabilities for binary execution (subprocess), file permission modification (chmod), and network requests (curl).
Sanitization: None detected.
[Command Execution] (LOW): The skill makes extensive use of shell scripts and subprocess calls to manage the local environment, which increases the potential attack surface.

dify-tool-developer