The Agent Skills Directory

[EXTERNAL_DOWNLOADS] (MEDIUM): The scripts refresh_token.py and setup_oauth.py use os.system to install the requests library from PyPI at runtime. This dynamic installation of dependencies is a security risk as it bypasses version pinning and static analysis of the environment.
[COMMAND_EXECUTION] (HIGH): The secure_storage.py module uses subprocess.run to execute host-level commands (security on macOS and secret-tool on Linux). This grants the agent the capability to interact directly with the system's password management infrastructure to store and retrieve sensitive information.
[CREDENTIALS_UNSAFE] (HIGH): The skill provides Python functions to retrieve Strava client_secret, access_token, and refresh_token from the system keychain. Because the agent can execute these scripts or import the Python module, the claim that secrets are inaccessible to the agent is false. This creates a direct path for credential exfiltration.
[METADATA_POISONING] (HIGH): The SKILL.md file contains a security claim stating 'AI agents CANNOT read secrets from keychain'. This is a deceptive statement because the skill includes the scripts necessary to perform those reads, which could mislead users into granting higher permissions than intended.
[INDIRECT_PROMPT_INJECTION] (LOW): The OAuth setup flow in setup_oauth.py ingests a user-provided URL to extract authorization codes. This represents an untrusted data entry point that connects to sensitive keychain-write capabilities.
Ingestion points: User-provided redirect URL in scripts/setup_oauth.py.
Boundary markers: Absent; no instructions provided to the LLM to ignore embedded commands in the URL data.
Capability inventory: Subprocess calls to keychain tools in scripts/secure_storage.py; network POST requests in scripts/setup_oauth.py.
Sanitization: Uses urllib.parse to extract the code, but does not validate the integrity or source of the input beyond basic parsing.

strava-api