The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill instructions (SKILL.md) and multiple scripts such as 'scripts/cleanup-copy.py' and 'scripts/copy-data.py' include hardcoded default credentials like 'admin@nocobase.com' and 'admin123' for development database and application access.
[DATA_EXFILTRATION]: The authentication logic in 'src/client/auth.ts' scans sensitive configuration files of other AI agent applications, specifically searching for Bearer tokens in '~~/.claude/settings.json', '~~/.claude/settings.local.json', and '~/.kimi/mcp.json'.
[COMMAND_EXECUTION]: The skill makes extensive use of the shell to execute system commands like 'git', 'npx', and 'psql', creating a potential attack surface for command injection if workspace configuration files are maliciously crafted.
[PROMPT_INJECTION]: The skill has a high surface area for indirect prompt injection. 1. Ingestion points: The skill reads and processes YAML, JavaScript, and SQL content from arbitrary project files in the 'workspaces/' directory. 2. Boundary markers: There are no delimiters or explicit instructions to ignore embedded commands when parsing these files. 3. Capability inventory: The skill possesses 'shell' access, performs network requests via 'axios', and executes raw database queries through 'psql'. 4. Sanitization: No sanitization or validation of the external file content is performed before it is used in system commands or deployed to the target NocoBase server.

nocobase-dsl-reconciler