Local File Manager

The skill contains a critical command injection vulnerability in index.ts, where arguments (including file content and paths) are joined into a shell string and executed via execAsync without sanitization. This allows for arbitrary code execution on the host system. Additionally, index.ts contains a hardcoded absolute path (/Users/nico/...) for the shell script, which is highly irregular for a portable skill bundle. While these represent severe security flaws (RCE), they appear to be unintentional vulnerabilities rather than intentional malware, as no exfiltration logic or backdoors were identified.