The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes the Bash tool to execute a variety of commands including find, grep, git, jq, stat, and which. It also executes version checks (e.g., gh --version) for several CLI tools.
[DATA_EXFILTRATION]: The skill accesses sensitive configuration files, specifically ~/Library/Application Support/Claude/claude_desktop_config.json and ~/.claude/settings.json. These files may contain sensitive metadata, paths, or environment configurations.
[DATA_EXFILTRATION]: Instructions to sub-agents include writing detailed audit findings to the /tmp/system-audit/ directory. Since /tmp is a shared system directory, this could lead to the exposure of sensitive system information to other local users.
[INDIRECT_PROMPT_INJECTION]: The skill functions by scanning and processing contents from a vast array of external files across the system.
Ingestion points: Processes SKILL.md files, .bib files, .md documentation, and script headers from multiple directories including research project roots and system configuration folders.
Boundary markers: No specific delimiters or "ignore" instructions are provided to sub-agents to prevent them from following instructions embedded in the audited files.
Capability inventory: The system allows Bash, Read, Glob, and Task tools, which provide significant reach into the local environment.
Sanitization: There is no evidence of content sanitization or validation before incorporating file data into the consolidated audit report.

system-audit