The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill instructions include bash commands that read sensitive credentials (GH_TOKEN and QUEST_TOKEN) from a hardcoded environment file path at '$HOME/projects/fellowship-dev/claude-buddy/.env'. While this appears to be the author's local configuration, hardcoding access to sensitive files is a security risk.
[COMMAND_EXECUTION]: The skill uses unsanitized user-provided arguments ($1 as $REPO and subsequent arguments as $GOAL_CONTEXT) directly within bash scripts. This allows for command injection if a user provides a repository name containing shell metacharacters (e.g., 'my-repo; rm -rf /').
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted data from the target repository.
Ingestion points: Uses 'gh issue list' and 'gh pr list' to fetch issue titles, bodies, and labels from external repositories.
Boundary markers: None identified; external content is processed directly to determine triaging and dispatching logic.
Capability inventory: The agent has permissions to write to the repository (labels/issues) and perform network operations via 'curl' to a local endpoint.
Sanitization: No sanitization or escaping of the fetched GitHub content is performed before the agent processes it to make decisions.
[DATA_EXFILTRATION]: The skill sends a report containing repository data to a local server at 'http://127.0.0.1:4242/api/event' using a bearer token extracted from local files.

cto-heartbeat