The Agent Skills Directory

[CREDENTIALS_UNSAFE] (HIGH): The skill contains explicit instructions to search for sensitive configuration and environment variables.
Evidence: SKILL.md instructs the agent to use grep -rn "process.env\." and find . -name "*.config.*" -o -name ".env*" -o -name "config.*".
Risk: This pattern automatically identifies and surfaces secrets (API keys, database credentials) to the agent's context, making them available for potential exfiltration.
[PROMPT_INJECTION] (HIGH): The skill has a significant vulnerability surface for Indirect Prompt Injection (Category 8).
Ingestion points: The skill uses Read, Glob, Grep, and Bash to ingest external codebase files into the context of the high-capability 'Opus' model.
Boundary markers: Absent. There are no instructions to the agent to treat file contents as untrusted data or to ignore embedded instructions.
Capability inventory: The agent has Bash access and the ability to perform complex analysis and reporting.
Sanitization: Absent. No filtering of codebase content is performed before processing.
Risk: Maliciously crafted comments or strings within the codebase being analyzed could subvert the agent's instructions, leading it to perform unauthorized actions or exfiltrate the secrets it has been told to find.
[COMMAND_EXECUTION] (MEDIUM): The skill is granted broad execution privileges via the Bash tool.
Evidence: allowed-tools: Read, Glob, Grep, Bash in SKILL.md frontmatter.
Risk: While the documentation focuses on grep and find, the raw Bash capability allows for any shell command execution, which could be exploited if the agent's logic is subverted.
[DATA_EXFILTRATION] (MEDIUM): The combined capability to read sensitive files and execute shell commands creates an exfiltration path.
Risk: If an attacker successfully uses indirect prompt injection, they can leverage the existing Bash and Read tools to transmit discovered credentials or source code to an external endpoint.

code-explorer