The Agent Skills Directory

[PROMPT_INJECTION]: The skill mandates a high degree of autonomy by instructing the agent to 'not ask questions' and 'not pause for confirmation,' which effectively bypasses user oversight and safety guardrails during its 14.5-hour execution window.\n- [DATA_EXFILTRATION]: The 'Security Auditor' module is explicitly tasked with identifying and aggregating sensitive files and credentials, including '.env' files, '.ssh' keys, and hardcoded 'api_key' or 'Authorization' tokens. This systematic collection of secrets into a single report creates a high-density target for credential exposure.\n- [REMOTE_CODE_EXECUTION]: The 'Dependency Auditor' module is directed to dynamically install external software tools (e.g., 'pip install safety', 'pip install pip-audit') at runtime if they are missing, which introduces risks associated with executing code from external package registries.\n- [COMMAND_EXECUTION]: The skill extensively utilizes the 'Bash' tool to perform repository reconnaissance (via 'ls', 'find', 'wc') and to execute various third-party security and dependency audit binaries.\n- [PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection because it ingests untrusted data from the entire repository and processes it using agents with high-privilege capabilities (Bash, Write, Agent) without implementing boundary markers, delimiters, or sanitization.\n
Ingestion points: Files ingested via 'Read', 'Grep', and 'Glob' across the entire repository and passed to sub-agents.\n
Boundary markers: None implemented to distinguish audited code from agent instructions.\n
Capability inventory: Sub-agents have access to 'Bash', 'Write', 'Agent' (background spawning), and 'Read' tools.\n
Sanitization: No validation or filtering is performed on repository content before it is processed by the AI models.

overnight-repo-auditor