The Agent Skills Directory

[CREDENTIALS_UNSAFE] (HIGH): The get_github_auth() function in SKILL.md contains logic to automatically scan sensitive local filesystem paths (/mnt/project/.env, /mnt/project/github.env) for secrets like GITHUB_PAT and GITHUB_TOKEN. This pattern of searching common locations for credentials can lead to unauthorized access to user secrets if the agent environment is shared or if the skill is used without explicit user awareness of what files are being read.
[COMMAND_EXECUTION] (MEDIUM): Multiple Bash examples in SKILL.md utilize patterns such as curl ... | python3 -c "...". While the Python code provided in the snippets is for decoding purposes, this pattern of piping remote data directly into an interpreter is a high-risk practice that can be exploited if the target URL is redirected or the response is manipulated.
[PROMPT_INJECTION] (LOW): The skill is highly susceptible to Indirect Prompt Injection (Category 8).
Ingestion points: Remote content is ingested via fetch_file, fetch_repo_tarball, and various curl examples.
Boundary markers: None. The skill does not implement delimiters or instructions for the agent to ignore potentially malicious content inside the fetched files.
Capability inventory: The skill possesses significant capabilities including network requests (urllib.request), file writing (tar -xzf), and repository modification (push_file).
Sanitization: None. Content is decoded from Base64 and returned as a raw string or written directly to the filesystem.
[DATA_EXFILTRATION] (LOW): The skill facilitates the transmission of potentially harvested credentials to api.github.com. While GitHub is a trusted domain, the automated retrieval of tokens from .env files combined with network capabilities creates a risk surface for exfiltration if the 'owner' or 'repo' parameters are controlled by a malicious actor.

accessing-github-repos