The Agent Skills Directory

[Data Exposure & Exfiltration] (SAFE): The skill identifies and reads local credential files (e.g., .env, credentials.json) for the purpose of consolidation. This behavior is the primary stated function of the skill. No network calls to non-whitelisted domains or exfiltration patterns were found.
[Unverifiable Dependencies & Remote Code Execution] (SAFE): The skill does not perform any remote script execution (e.g., curl piped to bash) or install third-party packages. It utilizes standard Python library modules for all operations.
[Privilege Escalation] (SAFE): Use of chmod 600 to restrict file access to the owner is a documented security feature. No unauthorized privilege escalation attempts, such as sudo usage or Windows UAC bypasses, were detected.
[Indirect Prompt Injection] (LOW): The skill possesses a data ingestion surface by reading local credential files. Evidence Chain: 1. Ingestion points: scripts/scan.py and scripts/consolidate.py read local .env and .json files; 2. Boundary markers: Absent for internal credential data; 3. Capability inventory: f.unlink() in scripts/cleanup.py and file writing in scripts/consolidate.py; 4. Sanitization: Basic key-value parsing and json.load(). The risk is minimal as the data is not processed as instructions by the LLM.
[Dynamic Execution] (SAFE): The skill generates a centralized .env file and template. This is done via static string construction and does not involve eval(), exec(), or unsafe deserialization of untrusted data.

credential-manager