The Agent Skills Directory

[REMOTE_CODE_EXECUTION / EXTERNAL_DOWNLOADS] (HIGH): The skill clones the ArcBlock/blocklet-server repository and immediately executes a sub-skill located at ~/arcblock-repos/blocklet-server/.claude/skills/project-setup/SKILL.md. This pattern of downloading content and then interpreting it as executable instructions creates a high risk of remote code execution if the source repository is compromised.
[COMMAND_EXECUTION] (MEDIUM): The skill executes multiple shell commands including git clone, git pull, and git checkout. It also instructs the agent to run bun install and bun turbo:dep as part of the setup process, which involves executing arbitrary code from the downloaded project's dependencies.
[DATA_EXFILTRATION] (LOW): The skill interacts with GitHub for cloning and pulling repositories. While github.com is a whitelisted domain, the skill has access to the local $HOME/arcblock-repos/ directory. No evidence of unauthorized data transfer was found, but the capability exists via the git operations.
[INDIRECT_PROMPT_INJECTION] (HIGH): The skill possesses a significant attack surface by ingesting untrusted data from a remote repository and using it to guide agent behavior.
Ingestion points: git clone git@github.com:ArcBlock/blocklet-server.git (Phase 2).
Boundary markers: None. The skill assumes the content of the downloaded SKILL.md is safe to follow.
Capability inventory: Shell execution (bun install, bun turbo:dep), directory creation, and file system navigation.
Sanitization: None. The skill does not validate or sanitize the instructions found in the remote project-setup/SKILL.md file before execution.

blocklet-server-dev-setup