The Agent Skills Directory

[DATA_EXPOSURE_AND_EXFILTRATION]: The skill attempts to retrieve an API key from a hardcoded sensitive file path at /mnt/project/claude.env if the environment variable is not present. While used for official API communication, accessing sensitive environment files from predictable paths is a security risk.
Evidence: The _get_api_key function in scripts/client.py reads from /mnt/project/claude.env.
[DYNAMIC_EXECUTION]: The orchestration logic dynamically modifies the Python module search path (sys.path) to import and execute code from separate filesystem locations, such as other user-uploaded skills. This allows for execution of code that is not contained within the skill's own package.
Evidence: In scripts/orchestrate.py, the _persist function uses sys.path.insert(0, search_path) to load scripts from /mnt/skills/user/remembering or /home/user/claude-skills/remembering.
[INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process arbitrary text context which is then interpolated into several prompt templates for sub-tasks and synthesis. This architecture is vulnerable to instructions embedded in the analyzed data.
Ingestion points: The context argument passed to the orchestrate function in scripts/orchestrate.py.
Boundary markers: Uses basic Markdown headers (e.g., ## Context) to separate user context from system instructions.
Capability inventory: The skill has network access via httpx and the ability to load and execute external scripts via filesystem path modification.
Sanitization: No evidence of input validation, filtering, or escaping for the ingested context data was found.

orchestrating-skills