The Agent Skills Directory

[COMMAND_EXECUTION]: The skill extracts a command string from the '## Testing' section of 'CLAUDE.md' and executes it directly in a shell environment. This allows for arbitrary command injection if the file is maliciously modified.\n- [REMOTE_CODE_EXECUTION]: Test commands are dynamically inferred from project files like 'package.json', 'Gemfile', and 'Cargo.toml'. Since these commands are executed automatically during the release flow, it presents a risk of executing malicious code embedded in these configurations.\n- [DATA_EXFILTRATION]: Performs network requests using 'curl' to URLs extracted from 'CLAUDE.md'. This pattern can be exploited for Server-Side Request Forgery (SSRF) or to exfiltrate data to an attacker-controlled endpoint if the documentation is compromised.\n- [DATA_EXFILTRATION]: Accesses and appends to '~/.mystack/timeline.jsonl', which is a file outside the project repository. This provides a side-channel for tracking user activity and potential exposure of sensitive historical logs.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted project data without sanitization. Mandatory Evidence Chain: (1) Ingestion points: CLAUDE.md, package.json, Gemfile, requirements.txt, and ~/.mystack/timeline.jsonl. (2) Boundary markers: Absent. (3) Capability inventory: Full shell access via Bash tool, file modification via Write tool. (4) Sanitization: Absent.\n- [EXTERNAL_DOWNLOADS]: Fetches data and updates remote repositories using 'git' and 'gh' CLI tools. While necessary for the skill's functionality, it establishes a communication channel with external services that handles sensitive repository data.

stacksmith-release