The Agent Skills Directory

[CREDENTIALS_UNSAFE] (CRITICAL): The skill design mandates storing all API keys and secrets in a central plaintext file at ~/.claude/.env. It provides explicit instructions and script patterns for skills to source and read this file.
[COMMAND_EXECUTION] (CRITICAL): The recommended wrapper script secure-api.sh uses eval echo \$${SERVICE_UPPER}_${PROFILE_UPPER}_API_KEY to access secrets. Using eval on variables that could be influenced by a created skill's configuration (like service or profile names) allows for arbitrary command injection and full system compromise.
[DATA_EXFILTRATION] (HIGH): While the skill claims to prevent credentials from appearing in chat, it establishes the infrastructure for any generated skill to read the ~/.claude/.env file. A maliciously generated skill could easily exfiltrate these keys via the network capabilities (curl) described in the documentation.
[PROMPT_INJECTION] (HIGH): The /heal-skill and /create-agent-skill commands operate by analyzing external, untrusted content (API documentation, error logs, and user descriptions).
Ingestion points: Web documentation (via 'researches APIs'), conversation context, and skill failure logs.
Boundary markers: None. The instructions rely on Claude to 'analyze' and 'propose fixes'.
Capability inventory: Writing and modifying files in ~/.claude/skills/, executing shell commands, and installing packages via pip.
Sanitization: None. The logic depends on natural language reasoning over potentially adversarial input.
[EXTERNAL_DOWNLOADS] (MEDIUM): The skill encourages the use of pip install to add dependencies researched from the web. This could lead to the installation of typosquatted or malicious packages if the 'research' phase is compromised via indirect injection.

create-agent-skills