The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill directs users to download and execute a pre-built Docker image from an unverified third-party repository (CoderLuii/HolyClaude:latest). Running opaque binary images from untrusted authors presents a severe supply chain risk as the contents of the image cannot be verified through the skill's instructions.
[REMOTE_CODE_EXECUTION]: By instructing the user to run docker compose up with a remote image, the skill effectively facilitates the execution of remote code within the user's local environment. The image contains over 50 development tools and multiple AI CLIs whose source and integrity are not validated.
[COMMAND_EXECUTION]: The provided configuration disables critical security features by setting `security_opt:
seccomp:unconfined`. This grants the container unrestricted access to kernel system calls, which increases the impact of any potential container breakout or compromise.
[CREDENTIALS_UNSAFE]: The skill configuration prompts users to provide sensitive API keys (Anthropic, Gemini, OpenAI, Cursor) via environment variables and persists credentials by mounting host directories (e.g., ./data/claude:/root/.claude). This exposes high-value secrets to the untrusted container environment.
[DATA_EXFILTRATION]: The workstation is configured with full network access and includes tools like curl, wget, and headless browsers (Chromium), which could be used to exfiltrate data or credentials stored in the mounted volumes to external servers.
[PROMPT_INJECTION]: The skill defines a platform for processing untrusted external data (web pages via Playwright, local project files) without explicit boundary markers or sanitization guidelines. This exposes the agent to indirect prompt injection where malicious instructions embedded in data could trigger the agent to perform unauthorized actions using its extensive toolset.

holyclaude-ai-workstation