The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill handles SWANLAB_API_KEY credentials. In scripts/quick_start.sh, this key is passed as an environment variable within a command string to docker exec. This practice exposes the sensitive key in the host system's process table (visible via ps), making it accessible to other users on the machine.
[COMMAND_EXECUTION]: scripts/run_dapo.sh employs dynamic execution by using config_generator.py to write a temporary shell script to /tmp/run_verl_temp.sh and then executing it. This pattern of generating and running code at runtime is a risk if parameters are influenced by untrusted inputs.
[EXTERNAL_DOWNLOADS]: scripts/common.sh attempts to load a shell library from a hardcoded path belonging to an external skill (~/.claude/skills/swanlab-setup/scripts/functions.sh), creating a dependency on external code.
[COMMAND_EXECUTION]: Several scripts (e.g., quick_start.sh) construct complex shell commands for docker exec using multiple interpolated environment variables, which increases the potential for command injection if variables are not properly sanitized.
[SAFE]: The YARA detection for dangerous process control in scripts/common.sh relates to pkill -9 ray. In the context of this skill's purpose—managing a Ray distributed training cluster—this is a benign cleanup task.

external-gitcode-ascend-verl-async-dapo