The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The script .workspace/run-trigger-eval.sh performs highly sensitive operations on the ~/.claude directory, which typically stores active session tokens and authentication configuration. It renames the directory and selectively copies auth-related folders (sessions, config, statsig), which could be exploited to hijack or expose credentials if the script or the backup location is compromised.
[COMMAND_EXECUTION]: The skill contains instructions for destructive commands and complex shell logic. The file references/v2-vs-v3.md provides rm -rf commands targeting the .claude directory structure. Additionally, .workspace/run-trigger-eval.sh executes shell commands that modify the user's home directory and authentication state.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. Because its primary purpose is to read and critique external data (Agent OS standards), there is a significant surface for malicious instructions to be embedded in the files being audited. The skill lacks boundary markers or explicit 'data-only' processing instructions to prevent the agent from obeying commands found within those files.
[REMOTE_CODE_EXECUTION]: The file .workspace/run-trigger-eval.sh uses dynamic execution patterns, including executing a Python heredoc and manipulating the PYTHONPATH environment variable to load modules from runtime-constructed paths (e.g., $HOME/.claude-back/skills/create-a-skill).

agent-os-profile-critique