The Agent Skills Directory

[COMMAND_EXECUTION]: Path traversal vulnerability in file operations. The sessionId argument is used to construct file paths without sanitization, potentially allowing the creation or deletion of files outside the intended directory.
Evidence: scripts/cli.ts uses path.join(logDir, ...) with unvalidated sessionId input in the /log endpoint and cleanup command.
[DATA_EXFILTRATION]: The local server enables Cross-Origin Resource Sharing (CORS) by default, allowing any website visited by the user to potentially interact with the log server endpoints.
Evidence: scripts/cli.ts uses HttpMiddleware.cors() without origin restrictions.
[EXTERNAL_DOWNLOADS]: Fetches and installs dependencies using Bun and NPX from the author's repository.
Evidence: README.md and package.json reference andrueandersoncs/debug-skill and several @effect packages.
[PROMPT_INJECTION]: The skill presents raw runtime logs to the agent for analysis, creating an attack surface for indirect prompt injection if the instrumented application logs untrusted data.
Ingestion points: Log files read during Phase 5 (Analyze Logs) as described in SKILL.md.
Boundary markers: Absent; logs are processed as raw NDJSON without delimiters or instructions to ignore content.
Capability inventory: Local server startup, file system modification (write/truncate/delete), and reading of arbitrary local log files.
Sanitization: Log content is not sanitized or escaped before being presented to the agent's context.

debug-mode