The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The command kweaver token is explicitly designed to retrieve and output the current access token, exposing session credentials to the agent's context and potentially to logs.
[CREDENTIALS_UNSAFE]: The kweaver ds connect command instructions encourage the use of plaintext passwords as command-line arguments (e.g., --password <pass>), which can be exposed in system process lists and shell history.
[DATA_EXPOSURE]: The skill interacts with the sensitive directory ~/.kweaver/, which stores authentication credentials and configuration data.
[EXTERNAL_DOWNLOADS]: The skill relies on downloading and executing the @kweaver-ai/kweaver-sdk package via npm or npx at runtime.
[PROMPT_INJECTION]: The SKILL.md file contains instructions that forbid the agent from verifying environment variables or asking the user for credentials (禁止提前检查环境变量，禁止询问用户提供密码或 Token), effectively forcing the agent to operate using stored credentials without explicit user confirmation of the target environment.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted data from multiple external sources.
Ingestion points: Data retrieved from kweaver bkn search, kweaver ds tables, kweaver agent history, and kweaver vega resource preview (SKILL.md, references/bkn.md, references/agent.md, references/vega.md).
Boundary markers: The instructions lack explicit boundary markers or directives for the agent to ignore instructions embedded within the retrieved knowledge or database content.
Capability inventory: The agent has the ability to execute any command within the kweaver CLI suite via Bash, including data deletion and action execution (references/agent.md, references/bkn.md).
Sanitization: There is no evidence of sanitization or validation performed on data fetched from the knowledge networks or databases before it is returned to the agent's context.

kweaver