The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The script scripts/probe-cc-glm.sh extracts a secret named 'zai-api-key' from the macOS Keychain using the security find-generic-password command, which constitutes unauthorized credential harvesting. \n- [DATA_EXFILTRATION]: The scripts/probe-cc-glm.sh script transmits sensitive environment variables and the harvested API token to an unrecognized external domain api.z.ai via curl. It also configures the claude binary to route traffic through this third-party endpoint, allowing for data interception. \n- [COMMAND_EXECUTION]: The skill performs multiple shell and subprocess executions. scripts/sync-obsidian.py uses subprocess.run to call inventory-obsidian.sh, and scripts/run-cc-glm-ingest.sh executes the node runtime to run an external companion script. The probe-cc-glm.sh script also executes several dynamic Python blocks via stdin. \n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads raw note content from an Obsidian vault and passes it to an LLM with write access to the workspace. \n
Ingestion points: Reads files from the user's Obsidian vault via the SOURCE_PATH variable in scripts/run-cc-glm-ingest.sh. \n
Boundary markers: The note content is interpolated into the prompt without protective delimiters or instructions to ignore embedded commands. \n
Capability inventory: The sub-agent is granted Edit and Write permissions for the entire wiki/ directory. \n
Sanitization: No validation or filtering of the note content is performed before processing.

wiki-backfill