The Agent Skills Directory

[DATA_EXFILTRATION]: Accesses sensitive configuration files. The environment discovery script reads and parses files such as ~/.claude/settings.json, .mcp.json, and ~/.codex/config.json. These files typically store authentication tokens and environment configurations for Model Context Protocol (MCP) servers.
[DATA_EXFILTRATION]: Accesses environment variable files. The skill checks for the existence of .env files and counts their lines. While it does not display the full content, accessing these files is considered high-risk as they are primary locations for storing secrets.
[PROMPT_INJECTION]: Indirect Prompt Injection vulnerability surface. The skill ingests untrusted data from the local file system by reading descriptions from other skills and agents.
Ingestion points: Phase 1 Bash script scans ~/.claude/skills, ~/.agents/skills, and ~/.claude/agents, reading the description or role fields from SKILL.md, .md, .yaml, and .txt files in SKILL.md.
Boundary markers: The extracted descriptions are presented in Markdown format without specific sanitization or instructions for the agent to ignore embedded commands within that content.
Capability inventory: The skill can execute shell commands and influence the tool-selection logic of the agent via its output recommendations.
Sanitization: The skill uses basic string processing and Python JSON/YAML parsing to extract and truncate the description text, but does not sanitize for malicious prompt instructions.
[COMMAND_EXECUTION]: Executes a complex Bash script for local discovery. The script iterates through numerous directories and uses embedded Python one-liners to parse JSON and TOML files across the user's home directory.

tool-advisor