The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The auto-approval list for Bash commands in scripts/ai-review.sh includes 'env' and 'printenv'. These commands output environment variables which frequently contain sensitive credentials, API keys, and access tokens.
[DATA_EXFILTRATION]: The allowlist in scripts/ai-review.sh includes file-reading commands like 'cat', 'head', and 'tail' without any path restrictions. This allows the agent to automatically read sensitive files such as ~/.ssh/id_rsa, ~/.aws/credentials, or .env files without user intervention.
[PROMPT_INJECTION]: The AI review component in scripts/ai-review.sh is vulnerable to indirect prompt injection. 1. Ingestion points: Untrusted tool input is read from stdin and parsed via jq. 2. Boundary markers: None; raw input is interpolated directly into the evaluation prompt. 3. Capability inventory: The hook has the authority to 'allow' or 'deny' tool execution, including file writes and shell commands. 4. Sanitization: No sanitization or escaping is performed on the tool input before it is sent to the reviewer model.
[DATA_EXFILTRATION]: The hook script logs all tool inputs and AI review decisions to ~/.claude/ai-review.log. Because tool inputs can contain sensitive data, code snippets, or secrets, this log file becomes a repository of potentially sensitive information stored in plain text.
[COMMAND_EXECUTION]: The installation script modifies the user's agent configuration (~/.claude/settings.json) to register a persistent PreToolUse hook. This hook executes a shell script on every tool call, which increases the attack surface for logic bypasses or exploitation of the review script's logic.

auto-permissions-review-install