The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill requires reading a sensitive authentication token from the local file system at /tmp/tabz-auth-token (referenced in references/cli-websocket.md and references/spawn-api.md).
[DATA_EXFILTRATION]: The skill includes shell functions to capture sensitive terminal data, such as tmux capture-pane for terminal output and fc -ln -1 for shell command history, which are then transmitted to a local server (references/cli-websocket.md).
[COMMAND_EXECUTION]: The provided instructions in references/cli-websocket.md require the use of sudo to install system-level dependencies (websocat, jq). Additionally, the tabz-last function uses fc to retrieve and re-execute the last shell command to capture its output.
[REMOTE_CODE_EXECUTION]: The tabz:spawn protocol and /api/spawn API endpoint allow for the execution of arbitrary shell commands (references/markdown-links.md, references/spawn-api.md). This creates a significant risk of remote code execution if the agent or user interacts with malicious content (e.g., a link in a third-party markdown file) that triggers these actions.
[PROMPT_INJECTION]: The skill exposes an attack surface for indirect prompt injection where malicious instructions could be embedded in Markdown links (tabz:) or HTML attributes (data-terminal-command).
Ingestion points: Markdown files rendered by the extension, external documentation pages, or web apps using the TabzChrome JS API.
Boundary markers: Absent; the skill does not suggest delimiters or warnings to ignore instructions embedded in the queued or spawned content.
Capability inventory: Arbitrary command execution via tabz:spawn and the /api/spawn endpoint; text injection via tabz:queue and tabz:paste.
Sanitization: Absent; the instructions focus on URL encoding for transmission but do not include validation or filtering of the commands being executed.

integration