The Agent Skills Directory

[COMMAND_EXECUTION]: The skill relies on executing various shell commands to perform its primary function, including 'docker', 'curl', 'rg', and 'bash'. This provides a broad capability for environment interaction.
[REMOTE_CODE_EXECUTION]: The skill dynamically locates and executes a shell script ('sanity_check.sh') from multiple potential paths, including user home directories ('~~/.codex/', '~~/.claude/') and repository paths. Executing scripts from computed paths outside the skill's own package is a risk if an attacker can control those locations.
[DATA_EXFILTRATION]: The skill instructs the agent to access potentially sensitive data sources for debugging, such as application logs, database state (via 'docker exec'), and Gmail messages (via the 'gog' tool). This represents a significant data exposure surface.
[INDIRECT_PROMPT_INJECTION]: The skill has a large attack surface for indirect prompt injection as it ingests untrusted data from logs, database queries, and repository files.
Ingestion points: Processes repo files ('package.json', 'README.md') via 'rg' and 'ls'; reads container logs via 'docker logs'; reads database rows via 'docker exec'.
Boundary markers: None present; the instructions do not specify delimiters or warnings to ignore instructions embedded in the data being verified.
Capability inventory: Full shell execution ('bash'), container access ('docker'), network access ('curl'), and the ability to modify build files (Makefiles).
Sanitization: No sanitization or validation of external data is performed before it is analyzed by the agent or used to determine subsequent commands.
[PERSISTENCE_MECHANISMS]: The skill instructs the agent to modify repository automation files (like '.env-manager/Makefile') to standardize environment setup. If the agent is influenced by malicious data, this could be used to insert persistent commands into the project's build or startup flows.

reproduce