The Agent Skills Directory

Dangerous Autonomous Execution (HIGH): The run-agent.sh script executes claude with the --dangerously-skip-permissions flag. This bypasses all human-in-the-loop approval for sensitive operations like file modification and command execution. Since these agents run headlessly on a schedule, they represent a significant risk of unauthorized system changes.
Indirect Prompt Injection (HIGH): The skill is explicitly designed to process untrusted data (e.g., web research, PR digests) without safety boundaries.
Ingestion points: Untrusted data enters via automated research or monitoring tasks defined in the prompt.
Boundary markers: None present; external content is processed directly by the model.
Capability inventory: Full shell access and file manipulation via Bash tool with permissions skipped.
Sanitization: No escaping or filtering is performed on data retrieved from external sources.
Persistence Mechanism (HIGH): The skill uses launchctl to install launchd plists in ~/Library/LaunchAgents. This is a standard persistence technique that ensures the agent scripts run automatically across reboots and sessions.
Path Traversal (MEDIUM): The NAME argument in manage-agent.sh is used directly in file paths (e.g., "$PLIST_DIR/${PLIST_PREFIX}.${NAME}.plist") without sanitization. A malicious agent name containing ../ could be used to write files to unauthorized locations.
Hardcoded Credentials & Absolute Paths (LOW): The skill contains a hardcoded Beeper chat ID (!edBouVfejemeEBwbQn:beeper.com) as a default, and run-agent.sh relies on a hardcoded absolute path to a specific developer's local directory (/Users/aarnavsheth/.local/bin/claude).

herobrine