The Agent Skills Directory

[COMMAND_EXECUTION]: The execution logic in Phase 1 contains a significant shell command injection vulnerability. The script uses placeholders like <repo-url> and <derived from URL> directly in shell commands (mkdir, cd, git pull, git clone) without validation or proper escaping. A crafted input containing shell metacharacters (e.g., ;, &, |, or backticks) would allow an attacker to execute arbitrary system commands.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from remote repositories.
Ingestion points: Untrusted files such as README.md, package.json, and documentation are read from cloned repositories into the agent's context in Phase 2 and Phase 3.
Boundary markers: Absent. The skill does not use delimiters or instructions to ignore embedded prompts when subagents process repository files.
Capability inventory: The main agent has shell execution capabilities, and subagents have full filesystem access to the cloned repository with instructions to "grep liberally."
Sanitization: There is no sanitization or filtering of the external repository content before it is interpolated into subagent prompts.
[EXTERNAL_DOWNLOADS]: The skill uses git clone and git pull to fetch content from external URLs. While the skill primarily targets GitHub (a well-known service), the lack of validation on the provided URLs allows the agent to interact with potentially malicious remote sources.

analyze-oss