The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill recommends installing software using curl --proto '=https' --tlsv1.2 -LsSf https://setup.atuin.sh | sh. Executing a script directly from a remote URL via shell pipe bypasses package manager verification and local security controls.
[COMMAND_EXECUTION]: Shell integration is configured using eval "$(atuin init ...)" patterns, which execute dynamically generated code at the start of every shell session.
[CREDENTIALS_UNSAFE]: The skill documentation details the management of highly sensitive data, including an end-to-end encryption key and session tokens located at ~/.local/share/atuin/key and ~/.local/share/atuin/session. Instructions include manual backup of these secrets to unencrypted locations.
[DATA_EXFILTRATION]: The atuin sync command transmits command history to an external service (api.atuin.sh). While documented as encrypted, this establishes a network data flow for sensitive shell history data.
[COMMAND_EXECUTION]: Detailed instructions are provided for creating persistent background processes using systemd (Linux) and launchd (macOS) to maintain the sync daemon across restarts.
[PROMPT_INJECTION]: The skill has an indirect prompt injection surface (Category 8) because it processes untrusted data from shell history logs.
Ingestion points: Data is ingested from the SQLite history database and via commands like atuin search and atuin history list.
Boundary markers: No explicit boundary markers or isolation instructions are present to prevent the agent from obeying instructions embedded in the shell history.
Capability inventory: The skill has the capability to execute shell commands (eval, sh), access the filesystem, and perform network requests via sync and curl.
Sanitization: Although a secrets_filter is used to prevent the storage of common secrets in history, there is no sanitization of history data before it is read or processed by the agent.

atuin