The Agent Skills Directory

[Remote Code Execution] (HIGH): The skill relies on npx -y @steipete/oracle to perform its primary functions. This command downloads and executes code from the npm registry at runtime. Because @steipete is not a recognized trusted source in the provided framework, this represents a high-risk supply chain vector where a compromised package could execute arbitrary commands on the agent's host system.
[Data Exposure & Exfiltration] (HIGH): The skill is designed to bundle local files and prompts to send to external APIs or browser-based LLM sessions. While this is the stated purpose, it facilitates the exfiltration of potentially sensitive source code and internal documentation to third-party services. Broad glob patterns like --file "src/**" increase the risk of accidentally including secrets or private keys.
[Indirect Prompt Injection] (HIGH): The skill processes untrusted external content (the local filesystem) and feeds it into an LLM context.
Ingestion points: Files specified via the --file argument (e.g., SKILL.md).
Boundary markers: None identified in the command structure to delimit file content from instructions.
Capability inventory: The skill uses npx for execution and has inherent network access to send data to LLMs.
Sanitization: No sanitization or filtering of file content is mentioned, allowing malicious instructions embedded in code comments or markdown files to subvert the LLM's review logic.
[Credentials Unsafe] (MEDIUM): The documentation explicitly references the use of OPENAI_API_KEY and a --remote-token <secret> for remote browser hosting. While the skill uses placeholders in the documentation, it encourages the handling and transmission of sensitive credentials which may be exposed in shell history or process monitoring tools.

oracle