The Agent Skills Directory

[COMMAND_EXECUTION]: Path traversal vulnerability in publish_asset.py. The script accepts a rename argument or derives a filename from a URL and joins it with a base directory (ASSETS_DIR / target_name) without sanitization. This allows an attacker to use sequences like ../../ to write or overwrite files anywhere in the workspace, potentially leading to the corruption of system files or other skills.
[COMMAND_EXECUTION]: Dynamic code execution via exec(open().read()). The SKILL.md instructions direct the agent to execute Python scripts by reading their contents and passing them to exec(). This practice is inherently risky as it can be exploited to run arbitrary code if the file paths or contents are influenced by an attacker.
[EXTERNAL_DOWNLOADS]: Insecure network configuration. Both generate_video.py and poll_status.py explicitly disable SSL certificate verification (verify=False) and suppress InsecureRequestWarning messages. This renders the agent vulnerable to Man-in-the-Middle (MitM) attacks, allowing attackers to intercept or modify data sent to and from the video generation proxy and external CDNs.
[EXTERNAL_DOWNLOADS]: Arbitrary file download. The publish_asset.py script allows downloading content from any user-provided URL into the workspace. This could be used for Server-Side Request Forgery (SSRF) if the agent is directed to target internal network services or to pull malicious payloads into the environment.

video