The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill downloads content from an external repository during setup and usage. It uses git clone to fetch the Open Design catalogue from https://github.com/nexu-io/open-design to the local directory ~/.open-design-skill/repo. It also offers to perform a git pull to update this content during project initialization.
[REMOTE_CODE_EXECUTION]: The skill demonstrates remote content execution by instructing the agent to read and follow the logic contained within SKILL.md files from the cloned external repository. Phase 3 of the workflow specifically directs the agent to compose and execute the workflow defined in the downloaded SKILL.md bodies, effectively allowing the remote repository maintainer to control agent behavior.
[COMMAND_EXECUTION]: The skill requires the execution of several shell commands to manage its lifecycle and content. These include:
git clone https://github.com/nexu-io/open-design "$ROOT" to fetch external content.
git -C "$ROOT" pull --ff-only to update external content.
node "$SKILL_DIR/scripts/list-*.mjs" to execute local helper scripts that parse the downloaded content.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and follows instructions from an external source without boundary markers or sanitization. This is documented as follows:
Ingestion points: The agent reads SKILL.md and DESIGN.md files from the external ~/.open-design-skill/repo directory.
Boundary markers: There are no delimiters or instructions to ignore embedded malicious prompts within the external files.
Capability inventory: The agent has the ability to execute shell commands (via the skill's scripts), write files (artifacts) to the project directory, and perform network operations via git.
Sanitization: There is no validation or filtering of the external content before it is processed by the agent.

open-design