The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The script scripts/fetch_thread.py is designed to read from ~/.git-credentials to automatically discover GitHub tokens. This file typically contains sensitive authentication secrets in plain text, making its access a significant security risk.
[COMMAND_EXECUTION]: The skill requires the agent to execute multiple Python scripts (search.py, fetch_thread.py, chain_tracker.py) with command-line arguments that include data derived from user queries and external web content.
[EXTERNAL_DOWNLOADS]: The system is built to fetch content from arbitrary external URLs and call third-party search APIs (Exa, Tavily, Grok) to retrieve snippets and full page content.
[DATA_EXFILTRATION]: User queries and intent data are transmitted to third-party search providers as part of the search process.
[PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection by ingesting and processing untrusted data from the web (GitHub issues, Reddit posts, etc.) using LLMs for relevance scoring and summarization. 1. Ingestion points: Untrusted data enters the context via scripts/fetch_thread.py (web/API content) and scripts/search.py (search snippets). 2. Boundary markers: While scripts/search.py includes a system prompt warning the LLM about untrusted input, other orchestration scripts like scripts/chain_tracker.py and scripts/relevance_gate.py lack explicit delimiters or instructions to ignore embedded commands. 3. Capability inventory: The skill scripts can perform network requests to arbitrary domains and access local configuration files in the user's home directory. 4. Sanitization: The skill utilizes trafilatura and BeautifulSoup to strip HTML tags and scripts, which mitigates structural injections but does not protect against text-based instructions in the fetched content.

search-layer