The Agent Skills Directory

CREDENTIALS_UNSAFE (HIGH): The script scripts/consult.sh contains logic in the load_api_key function to specifically search for and read .env and .env.local files. These files are standard locations for sensitive secrets, and providing a tool with built-in access to them is a high-risk pattern.
DATA_EXFILTRATION (HIGH): The skill provides a mechanism to read arbitrary local files (via the --files argument) and send their full content to an external network endpoint (api.openai.com). While intended for peer review, this behavior constitutes a significant exfiltration risk, as an attacker could leverage the agent to leak sensitive system files such as SSH keys or cloud credentials to an external service.
PROMPT_INJECTION (LOW): The skill creates an indirect prompt injection surface by ingesting untrusted data from local files and passing it directly to an external LLM. Malicious instructions embedded in the files could hijack the consultant's response, potentially influencing the primary agent's subsequent actions. Ingestion points: Files read via the --files flag in scripts/consult.sh. Boundary markers: Uses Markdown headers and code blocks, which are insufficient to prevent adversarial instruction overrides. Capability inventory: File reading via cat and network transmission via curl. Sanitization: None detected; file contents are escaped for JSON syntax but the semantic content remains unvalidated.
METADATA_POISONING (MEDIUM): The SKILL.md file contains deceptive claims about the existence and release of 'GPT-5' models (dated August 2025), which may mislead users regarding the skill's capabilities or authenticity.

second-opinion