The Agent Skills Directory

[DATA_EXFILTRATION]: The skill accesses highly sensitive configuration files such as ~/.claude.json, %USERPROFILE%\.claude.json, and system-level managed-mcp.json. These files typically store plaintext API keys, access tokens, and server credentials for Model Context Protocol integrations, representing a high data exposure risk.
[COMMAND_EXECUTION]: The skill utilizes the Bash tool to run platform CLI commands including claude mcp list and claude mcp get to retrieve live configuration data. The use of the shell for system introspection provides a mechanism that could be exploited if the agent context is compromised.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and processing .mcp.json files from untrusted project roots and plugin directories. These external files could contain malicious instructions designed to manipulate the behavior of the mcp-auditor or audit-finding-validator subagents.
Ingestion points: Accesses .mcp.json files in project and plugin scopes.
Boundary markers: No specific delimiters are used to isolate untrusted configuration data from the agent's internal reasoning.
Capability inventory: Uses Bash, Read, and Task tools; invokes external subagents for auditing and validation.
Sanitization: No content validation or escaping is described for the configuration data prior to processing by subagents.

audit-mcp