The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes shell command execution to run several diagnostic scripts included in the package, such as scripts/egress_consensus_probe.sh and scripts/domain_route_probe.sh. These scripts invoke system utilities like dig, route, and curl to gather telemetry about the user's network environment and routing path to Anthropic's API.
[EXTERNAL_DOWNLOADS]: The skill performs network requests to multiple well-known IP echo and reputation services, including api.ipify.org, ipinfo.io, ifconfig.co, and ipwho.is. These requests are used to determine the public egress IP and assess its 'cleanliness' (ISP vs. Datacenter status), which are safe operations when targeting established infrastructure providers.
[DATA_EXFILTRATION]: The skill is instructed to access and analyze highly sensitive local files, including .env, .claude/settings.json, and .claude/settings.local.json. This access is intended to detect if credentials or tokens have been leaked into the agent's context. Although the skill instructions explicitly mandate that the agent should not output secret values, the broad access to these paths represents a data exposure risk.
[PROMPT_INJECTION]: The skill processes untrusted content from local project files, such as package.json, README.md, and application logs, as part of its risk assessment. This ingestion of external data into the agent's context creates a surface for indirect prompt injection attacks.
Ingestion points: Project configuration files (package.json), documentation (README.md), and various log files located in the memory/ or scripts/ directories.
Boundary markers: The instructions do not specify the use of clear delimiters or 'ignore' instructions for the processed content.
Capability inventory: The skill has access to the file system (Read), network (WebFetch), and shell execution (Bash).
Sanitization: No explicit sanitization or validation of the ingested file content is performed prior to analysis.

claude-code-account-risk