The Agent Skills Directory

[COMMAND_EXECUTION]: The bash implementation in SKILL.md is vulnerable to shell command injection. The variable loop_id is interpolated directly into a double-quoted string within a jq command. Because bash evaluates command substitutions inside double quotes, an attacker-controlled argument containing backticks or $() would execute arbitrary code in the host environment.
[COMMAND_EXECUTION]: The skill is susceptible to jq filter injection. The $loop_id variable is used to construct a jq filter string without proper escaping. A malicious payload can break out of the string literal (e.g., using ") | ...) to execute unintended jq operations and potentially leak sensitive data from the loop registry.
[PROMPT_INJECTION]: The skill contains 'Self-Evolving' and 'Post-Execution Reflection' directives that instruct the AI to modify the SKILL.md file itself based on runtime outcomes. This creates a significant risk of persistent instruction injection, where an attacker could influence the agent to rewrite its own source code, potentially introducing malicious behavior or bypassing safety constraints.

status