The Agent Skills Directory

DATA_EXFILTRATION (MEDIUM): The docker-compose.yml file mounts the user's host SSH directory (~/.ssh) and Git configuration (~/.gitconfig) into the Docker container. While this is intended to support the 'Git Sync' feature, it exposes highly sensitive private keys and identity information to the container environment. This exposure represents a significant risk if the container or the bot script were to be compromised.\n- CREDENTIALS_UNSAFE (LOW): The skill's design involves storing sensitive Telegram Bot Tokens and Chat IDs in plain text within markdown configuration files (.streak/config.md). Although the documentation includes warnings against committing these files to version control, storing secrets in cleartext in the local filesystem is a weak security practice.\n- EXTERNAL_DOWNLOADS (LOW): The Dockerfile and requirements.txt specify external dependencies from standard repositories (PyPI and Debian/Ubuntu mirrors). While these are from trusted sources, the use of unpinned versions for some dependencies (pytz>=2024.1) is a minor best-practice violation.

streak