The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The scripts/setup.sh script downloads an executable binary from a remote GitHub repository (NOMARJ/sigil) and executes it immediately to verify the version. The documentation in references/TROUBLESHOOTING.md also suggests an installation method using a curl | bash pipe from sigilsec.ai.
[EXTERNAL_DOWNLOADS]: The skill downloads binaries and scripts from external sources not included in the trusted vendor list. A significant discrepancy was found between the stated author 'nomarj' and the npm package name '@nomark/sigil' (j vs k substitution), which is a common indicator of typosquatting and supply chain attacks.
[CREDENTIALS_UNSAFE]: The scripts/audit-env.sh script is designed to access and read highly sensitive local files to check for secrets. These include cloud provider credentials (~/.aws/credentials, ~/.kube/config), private SSH keys (~/.ssh/id_rsa), and shell history files (.bash_history, .zsh_history) that may contain plain-text passwords or tokens.
[COMMAND_EXECUTION]: The skill makes extensive use of shell commands to perform its operations. The scripts/scan.sh wrapper invokes git clone, npm install, and pip install on user-provided targets, which could lead to command injection if target inputs are not properly sanitized.
[DATA_EXFILTRATION]: Documentation in references/PHASES.md contains a reference to a known exfiltration/tunneling service URL (https://abc123.ngrok.io/exfil). While provided as an example for a detection rule, automated scanners have flagged this specific endpoint as malicious.
[PROMPT_INJECTION]: The skill presents an indirect prompt injection surface. Because it is designed to audit external code and provide safety verdicts, a malicious target could be crafted to produce output that tricks the agent into misinterpreting the risk verdict or ignoring findings through formatted response manipulation.

sigil-scan