The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill explicitly instructs the agent to access and read sensitive credential files on the local filesystem, specifically targetting ~/.claude/skills/{skill-name}/.env.
[CREDENTIALS_UNSAFE]: The skill performs active harvesting of secrets from the current shell environment using commands like echo $NOTION_API_KEY, echo $DATABASE_ID, and env | grep -E 'NOTION_|DATABASE_|API_|CLAUDE_|TOKEN'.
[CREDENTIALS_UNSAFE]: The instructions direct the agent to reveal the raw values of detected secrets in its output to the user (e.g., displaying CLAUDE_CODE_OAUTH_TOKEN: sk-ant-oat01-...).
[COMMAND_EXECUTION]: The skill uses shell commands to browse the filesystem and discover files that likely contain sensitive data, including ls -la ~/.claude/skills/ and find ~/.claude/skills -name 'SKILL.md'.
[DATA_EXFILTRATION]: The skill facilitates the movement of credentials from secure contexts (environment variables or local config directories) into less secure files (.env in a new project folder) or directly into the agent's conversational output, which constitutes a data exposure risk.
[PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection as it is designed to ingest and process untrusted SKILL.md files from the local filesystem and translate them into new agent instructions without sanitization or boundary markers.
Ingestion points: ~/.claude/skills/{skill-name}/SKILL.md (read via cat)
Boundary markers: Absent; the agent is instructed to read the file "carefully" and "preserve the logic"
Capability inventory: Filesystem discovery (ls, find), file reading (cat), file writing (cat > .env), and project generation (mkdir)
Sanitization: Absent; the instructions do not mention escaping or validating the content of the source skill before migration

workflow-migration