The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill frequently invokes npx @codevoyant/agent-kit across multiple workflow files (allow.md, approve.md, docs.md, plan.md, pr-fix.md). This namespace ('codevoyant') differs from the declared author name ('cloudvoyant') provided in the skill context. This character substitution is a known pattern for supply chain attacks like typosquatting.
[COMMAND_EXECUTION]: The skill uses shell commands for core logic, including npx, git, gh (GitHub CLI), and glab (GitLab CLI). The execution of the suspicious @codevoyant/agent-kit package via npx presents a high risk of arbitrary code execution if the package is malicious.
[DATA_EXFILTRATION]: In agents/linear-tasks-agent.md, the skill reads local architectural plans and task breakdowns, extracts metadata using git remote -v, and transmits this data to the Linear API via save_issue and create_attachment. While this is functional for the 'approve' workflow, it represents a path where sensitive internal project data is sent to a third-party service.
[PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection across several workflows:
Ingestion points: Untrusted data enters the context via git clone in diff.md, web scraping (WebFetch, WebSearch) in researcher.md, and pull request review comment fetching in pr-fix.md.
Boundary markers: None. External content from remote repos and web pages is read and processed without delimiters or instructions to ignore embedded commands.
Capability inventory: The skill has high-privilege capabilities including file system writes (Write), shell command execution (git, gh, glab, npx), and the ability to spawn sub-agents with specific model configurations.
Sanitization: None. The skill does not perform validation or sanitization on content retrieved from external sources before passing it to sub-agents for analysis and proposal generation.

dev