The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill explicitly reads the .envrc file in Step 4. This file is commonly used to store sensitive environment variables and secrets for a project.
[COMMAND_EXECUTION]: The skill executes multiple bash commands including git rev-parse, find, git log, and head to explore the file system and repository history.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the ingestion of untrusted repository content. It specifically seeks out and reads documentation files (CLAUDE.md, .llmdocs/, README.md) and source code which can contain malicious instructions intended to hijack the agent's behavior.
Ingestion points: The agent reads contents from CLAUDE.md, .llmdocs/*.md, README.md, and up to 80 lines of various source code files (Step 3, 4, and 5).
Boundary markers: Absent. No delimiters or instructions are provided to the agent to ignore potential commands embedded within the files it reads.
Capability inventory: The skill uses bash for file system operations and several MCP tools (mcp__serena__*) for symbol analysis and memory management.
Sanitization: Absent. Files are read and processed without filtering or validation of their content.

familiarize