The Agent Skills Directory

[DATA_EXFILTRATION]: The skill instructions explicitly permit the use of the env command, which displays all environment variables. Environment variables frequently contain sensitive secrets such as API keys, tokens, and credentials. The inclusion of curl for network requests, even if limited to GET operations, provides a potential path for data exfiltration if sensitive information is appended to request parameters.- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute a variety of system commands. While the instructions attempt to limit usage to a 'read-only' subset (e.g., ls, ps, git status), the underlying tool access is not restricted by the platform configuration, allowing for broader command execution beyond the stated scope.- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it is designed to ingest and report raw data from files and command outputs without sanitization.
Ingestion points: Data is gathered via Read, Grep, and Bash commands (e.g., git show, cat) as described in Phase 2 of SKILL.md.
Boundary markers: Absent. The instructions mandate showing "complete command output" and "raw data" in Phase 3 without recommending the use of protective delimiters or instructions to ignore embedded commands.
Capability inventory: The agent has access to networking (curl), process inspection (ps), environment variables (env), and database queries (sqlite3).
Sanitization: None. The skill does not perform any validation or filtering of the content retrieved from the filesystem or command outputs before processing it.

read-only-ops