The Agent Skills Directory

[PROMPT_INJECTION]: The agent is instructed to read log files (.log) generated by the application being debugged. If the application processes and logs untrusted data, an attacker could inject instructions meant to manipulate the agent's behavior.
Ingestion points: The agent reads logs using the cat command as specified in SKILL.md.
Boundary markers: No delimiters or safety warnings are present; logs are processed directly as NDJSON.
Capability inventory: The skill environment can execute shell commands via execSync, perform local filesystem operations, and run a local network server.
Sanitization: None. The instructions encourage the agent to treat log content as objective evidence for debugging.
[DATA_EXFILTRATION]: A path traversal vulnerability exists in scripts/debug_server.js. The /log endpoint accepts a sessionId directly from the POST request body and uses it to construct a file path via path.join(LOG_DIR, ...) without any sanitization. This allows a malicious application being debugged to write files outside the designated .debug directory by providing a sessionId with directory traversal sequences (e.g., ../../).
[COMMAND_EXECUTION]: The skill relies on executing local Node.js scripts (debug_server.js, debug_cleanup.js) that interact with the system's process table using lsof and kill. While port numbers are currently parsed as integers, the execution of local servers that process external network input increases the attack surface of the agent's host.
[REMOTE_CODE_EXECUTION]: The skill facilitates the generation and injection of instrumentation code (JavaScript and Python) into the user's project. While this is the intended purpose, it involves the agent dynamically creating and executing (via the app) code that may be influenced by its analysis of the project.

debug-mode