The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/detect-env.js uses child_process.execSync to execute system commands such as docker --version, docker ps, and python3 --version to identify the host environment. While these specific commands are hardcoded, synchronous execution of shell commands is a sensitive capability.
[COMMAND_EXECUTION]: Instructions in SKILL.md and references/strategy-guide.md guide the AI to construct shell commands by interpolating variables (e.g., node scripts/version-compare.js "$(本地版本)"). If an attacker can influence the environment data or the version strings processed by the agent, this pattern could be exploited for command injection.
[EXTERNAL_DOWNLOADS]: The skill references and downloads official Docker images (e.g., python:3.11-slim, node:18-alpine, ruby:3.1-alpine) from well-known official registries for containerized execution.
[PROMPT_INJECTION]: The skill contains a vulnerability surface for indirect prompt injection (Category 8).
Ingestion points: Environment metadata captured by scripts/detect-env.js and external version requirements defined in references/language-matrix.md.
Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands in the processed data.
Capability inventory: Host-level shell execution through execSync in scripts/detect-env.js and the agent's ability to run docker and node commands as instructed in the guides.
Sanitization: The version-compare.js script and the associated manual commands do not include sanitization or escaping for the arguments passed from the agent's context to the shell.

docker-first-runner