The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts/github-discovery.sh script is vulnerable to command injection within the urlencode function.
Evidence: The function uses python3 -c with a string variable directly interpolated into single quotes: python3 -c "import urllib.parse; print(urllib.parse.quote('$string'))".
Risk: An attacker-controlled QUERY parameter containing a single quote followed by Python code will be executed by the host's Python interpreter.
[DATA_EXFILTRATION]: The skill accesses sensitive local conversation history and configuration files.
Evidence: scripts/analyze.sh reads data from ${HOME}/.claude/projects and ${HOME}/.claude/settings.json.
Context: While this access is required for the skill's stated purpose of analyzing Claude Code usage, these files can contain sensitive information from previous AI interactions.
[PROMPT_INJECTION]: The skill processes untrusted data from local project files and logs, making it vulnerable to indirect prompt injection.
Ingestion points: scripts/analyze-claude-md.sh reads package.json and CLAUDE.md; scripts/analyze.sh parses .jsonl conversation logs.
Boundary markers: No specific delimiters are present in the script outputs to isolate untrusted data from instructions.
Capability inventory: The skill has access to the Bash tool and broad filesystem read permissions.
Sanitization: Although output is structured as JSON via jq, no text-based sanitization is performed on the content of the analyzed files.
[EXTERNAL_DOWNLOADS]: The scripts/github-discovery.sh script queries the GitHub API using the gh CLI to find community resources. This interaction is limited to metadata retrieval from a well-known service and is documented here for completeness.

claude-code-analyzer