The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill maintains a highly sensitive configuration file at ~/.config/ctx/credentials.yaml containing Cloudflare API tokens, AI service keys, and site-specific cookies. Furthermore, the ctx read command allows reading any local file via file:// or direct paths, which could be used to expose system secrets like SSH keys or .env files.
[COMMAND_EXECUTION]: The feedback mechanism described in references/feedback.md uses the gh CLI with complex shell heredocs. This pattern is vulnerable to command injection if malicious content from external documentation or error logs is interpolated into the command body by the agent.
[DATA_EXFILTRATION]: The integration of a 'file feedback' workflow using gh issue create to a remote repository (ethan-huo/ctx) provides an easy path for data exfiltration. An agent could be manipulated via indirect prompt injection to include the contents of the credentials.yaml file or other sensitive local data in a GitHub issue.
[PROMPT_INJECTION]: The skill's core workflow involves processing untrusted content from the web (ctx read, ctx crawl, ctx json). This creates a significant surface for indirect prompt injection attacks where a website can host instructions that the agent might follow, leading to unauthorized tool use or data disclosure.
[REMOTE_CODE_EXECUTION]: The addScriptTag feature in ctx read and ctx scrape allows the injection and execution of arbitrary JavaScript within the browser rendering context. This dynamic execution capability could be exploited to perform actions in the context of the rendered site or to influence the content extraction process maliciously.
[EXTERNAL_DOWNLOADS]: The skill facilitates downloads and network requests to Cloudflare, GitHub, and arbitrary URLs. While necessary for its function, this behavior increases the risk when combined with the data processing capabilities mentioned above.

ctx