The Agent Skills Directory

[DATA_EXFILTRATION]: The skill performs automated scanning of sensitive environment configuration files. Specifically, scripts/lib/scanner.py and scripts/audit_context.py are designed to locate and analyze files like ~/.claude/settings.json and .mcp.json. The _has_secret_env_vars function in the scanner module specifically identifies potential credentials such as keys, tokens, and passwords. While this is intended for auditing, it provides the agent with direct visibility into the location and potential content of secrets.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its reliability review feature. The scripts/review_skill_usage.py script reads and extracts historical session logs from ~/.claude/projects/ and ~/.codex/sessions/. This data is ingested into the current context without boundary markers (delimiters or specific safety instructions) or sanitization of the extracted message content. If previous session logs contain malicious instructions, they could influence the agent's behavior during the review process.
[COMMAND_EXECUTION]: The skill performs administrative-level operations on the local filesystem. scripts/init_skill.py uses chmod(0o755) to set executable permissions on generated scripts, and scripts/package_skill.py creates compressed archives of local directories. Additionally, the test suite (tests/test_tool_invocation_counts.py) uses dynamic module loading via SourceFileLoader. These high-authority operations are consistent with the skill's purpose as a developer tool but grant the agent significant control over the environment.
[EXTERNAL_DOWNLOADS]: Documentation within the skill (specifically references/publishing.md) encourages the use of npx skills add for installing skills from remote GitHub repositories and mentions skills.sh as a publishing target. While these are presented as standard workflows, they involve the installation of external code from unverified sources.

skill-issue