The Agent Skills Directory

[DATA_EXFILTRATION]: The skill directs the agent to read sensitive configuration files associated with various AI platforms to discover tool definitions.
Evidence: Phase 1 (Discovery) in SKILL.md targets files such as ~/Library/Application Support/Claude/claude_desktop_config.json, .cursor/mcp.json, and ~/.claude/settings.json.
Risk: These configuration files often contain environment variables, server connection details, and in some cases, embedded credentials or security tokens used by the agent environment.
[COMMAND_EXECUTION]: The skill utilizes local scripts and system tools for analysis, estimation, and generation.
Evidence: The workflow executes python3 scripts/estimate_tokens.py to calculate potential token savings.
Evidence: It uses npm info and pip show to retrieve package metadata from public registries for tool discovery.
Evidence: The conversion process involves generating and suggesting shell commands (curl), CLI invocations (gh, aws, kubectl), and Python code snippets for the user to implement.
[PROMPT_INJECTION]: The skill ingests and analyzes external, potentially untrusted data, creating a surface for indirect prompt injection.
Ingestion points: The skill parses MCP tool definitions, JSON schemas, and server source code from local files, package registries, or user input (SKILL.md Phase 1).
Capability inventory: The skill possesses the ability to read local files, execute shell commands via bash_tool, and perform network requests via web_fetch or curl.
Boundary markers: No explicit delimiters or instructions are provided to the agent to treat external schema content as non-instructional data.
Sanitization: There is no evidence of sanitization or structural validation performed on the ingested schemas before they are analyzed for conversion strategy.

mcp-to-skill