The Agent Skills Directory

[DATA_EXFILTRATION] (HIGH): The core functionality of the skill is to upload local file content to a remote service (GitHub Gists). This creates a direct vector for data exfiltration. If an agent is targeted by indirect prompt injection, it could be coerced into uploading sensitive files like .env, ~/.ssh/id_rsa, or ~/.aws/credentials to a public or private gist.
[PROMPT_INJECTION] (HIGH): The skill implements an 'Indirect Prompt Injection' surface (Category 8). It ingests untrusted data (local source code and imports) and possesses high-privilege capabilities (network write via gh gist and local file write).
Ingestion points: The script bundle-file.sh reads arbitrary files via cat and extracts strings via grep and sed.
Boundary markers: None are present; the skill treats all file content as data to be bundled without isolation.
Capability inventory: Execution of gh CLI for network operations and shell redirection for file modification.
Sanitization: None detected; the script assumes file contents and names are benign.
[COMMAND_EXECUTION] (MEDIUM): The provided shell scripts (e.g., bundle-file.sh and the Gist Workflow snippets) use shell variable interpolation (e.g., cat $FILE, cat "$resolved") without consistent quoting or validation. This could lead to local command execution if a project contains filenames with shell metacharacters like backticks or subshell expansions.
[CREDENTIALS_UNSAFE] (INFO): The documentation explicitly mentions gh auth login, which handles authentication. While the skill doesn't hardcode credentials, it relies on the user's active GitHub session, which can be leveraged by the agent to perform actions on the user's behalf without further confirmation.

bundle