The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill directs the agent to automatically detect API keys by searching environment variables and sensitive local configuration files. Specifically, it instructs the agent to read ~/.claude/config.json to extract the LaunchDarkly API key, which is a platform-level configuration file that may contain credentials for multiple other services and MCP servers.
[COMMAND_EXECUTION]: The skill and its associated reference guides rely on the agent executing a variety of shell commands. These include performing network requests via curl to interact with the LaunchDarkly REST API, managing local files like .env and .gitignore, and running scripts in Python, Node.js, and Go to initialize SDKs and automate project management.
[DATA_EXFILTRATION]: The skill describes workflows for retrieving sensitive SDK keys from an external API and propagating them to multiple storage systems, such as local environment files, cloud-based secret managers (AWS, GCP, Azure), and CI/CD secret stores (GitHub, GitLab, CircleCI). This involving of secrets across different trust boundaries and environments represents a data handling risk.
[EXTERNAL_DOWNLOADS]: The documentation provides instructions to download and install third-party libraries from public registries, including PyPI, NPM, and the Go module proxy, to support the integration and management functionality.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests project metadata (names, keys, tags) from the LaunchDarkly API responses (found in SKILL.md and references). No specific boundary markers or sanitization procedures are documented for this external data, while the agent maintains a capability inventory that includes file system writes and subprocess execution.

aiconfig-projects