The Agent Skills Directory

[COMMAND_EXECUTION]: The primary workflow instructions in SKILL.md and workflows/topic-search.md utilize a vulnerable command-line template: node scripts/detect-topic.js "<user query>". If an attacker provides a query containing shell metacharacters or balanced quotes (e.g., test" && touch /tmp/pwned #), the agent may execute arbitrary code on the host system. This risk is compounded by the skill's reliance on running these local scripts for its core functionality.
[CREDENTIALS_UNSAFE]: The script scripts/utils/env-loader.js implements a traversal logic that attempts to locate and load .env files from parent directories (e.g., searching up to ../../.. from the script's location). This allows the skill to harvest sensitive API keys, tokens, and secrets stored in global configuration directories (like ~/.claude/.env) or parent project folders, exposing them to potential misuse or exfiltration.
[EXTERNAL_DOWNLOADS]: The workflows/repo-analysis.md file instructs the agent to execute git clone on arbitrary repository URLs provided via web search and to perform global package installations (npm install -g repomix). This introduces a high risk of supply chain attacks and the execution of malicious logic embedded in untrusted external repositories or packages.
[DATA_EXFILTRATION]: The scripts/fetch-docs.js script transmits user-influenced data (library names and topics extracted from queries) to the external domain context7.com via HTTPS GET requests. In an environment where the skill has already harvested global credentials from the file system, this creates a viable path for exfiltrating sensitive data under the guise of documentation fetching.
[PROMPT_INJECTION]: The skill uses highly directive language in SKILL.md (e.g., IMPORTANT MUST ATTENTION) to dictate agent task management and search behavior. While not directly malicious in its current form, this pattern uses the same overrides intended to bypass standard agent operational guidelines.

docs-seeker