The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection. It ingests untrusted data from the local project (dirty files, feature lists, git state) and has the capability to perform high-impact side effects like git reset and file restoration.
Ingestion points: scripts/git_snapshot.py and scripts/state_snapshot.py ingest external content from the repository being managed.
Boundary markers: None present; the skill lacks delimiters or instructions to ignore embedded commands in the files it snapshots.
Capability inventory: scripts/rollback_handler.py possesses write/execute capabilities via file restoration and git reset commands.
Sanitization: None documented; the skill restores files to their previous state without validating the content being written back into the project.
[CREDENTIALS_UNSAFE] (HIGH): The documentation confirms the skill records "context (session, tokens)" and stores them in checkpoint files (e.g., in .claude/checkpoints/). Storing raw session tokens on the filesystem without clear encryption or isolation protocols is a critical data exposure risk.
[COMMAND_EXECUTION] (MEDIUM): The rollback logic involves executing system-level Git commands (git reset). While appropriate for the task, these commands interact with repository metadata that could be manipulated to cause unintended state changes if not handled via a secure API.

checkpoint-manager