The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill retrieves the GitHub authentication token using gh auth token and embeds it directly into a URL for execution within git push. This practice exposes the plaintext token in the system's process table (e.g., via ps aux), making it visible to other users or processes on the system.
[COMMAND_EXECUTION]: The execution phase uses string manipulation (via sed) to construct a command string containing the GitHub token. This method is fragile and susceptible to command failure or unexpected behavior if the token or the repository URL contains the delimiter character (|).
[PROMPT_INJECTION]: The 'Self-Evolving Skill' directive instructs the agent to immediately modify the SKILL.md file if it encounters issues. This creates a self-modification loop where the agent's own logic can be tampered with. If an attacker can influence the agent's perception of a 'reproducible issue' (e.g., via poisoned input data), they could induce the agent to write malicious instructions into the skill's definition.
[DATA_EXFILTRATION]: The skill implements a workflow that harvests credentials and transmits local data (.cast recordings) to a remote GitHub repository. While this is the stated purpose, the combination of credential harvesting and automated data upload represents a high-risk capability chain.
[INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from .cast files (NDJSON format) and performs an integrity check. If these files contain specifically crafted content that triggers an error or a 'reflection' event, the agent may be tricked into modifying the skill or executing unintended commands under the 'Self-Evolving Skill' framework. Evidence: Ingestion point in Phase 4 (SKILL.md); No boundary markers or sanitization present; Capabilities include Bash and Git access.

finalize